Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

how to fixed restricted groups in group policy on server 2008??

Posted on 2010-08-18
22
Medium Priority
?
1,186 Views
Last Modified: 2012-05-10
we are running server 2008 domain and we need to apply restricted groups to our computers.  we are running an XP/windows 7 enviornment.  when we configure restricted groups in the policy it is overwritting any thing we manually put onto the local users and computers.  

for example if i add domain admins to the computer manually it saves and then when the group policy runs it overwrites that entry.  how do i stop this??
0
Comment
Question by:amoos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
  • 4
22 Comments
 
LVL 8

Accepted Solution

by:
SGrossmann earned 2000 total points
ID: 33469195
This behaviour is by design.The only chance to change this is to greate a group within active directory and configure resticted groups to add this group to other gorups, then it keeps local configured settings.If you set the members of a group by restricted groups these settings are enforced every time the GPO is applied.
0
 

Author Comment

by:amoos
ID: 33469218
ok.  then can you give me an example of what policy i would have to make for this?
0
 
LVL 3

Expert Comment

by:meagain35
ID: 33469220
Server 2008, this policy should allow you to "Update" the group.

Computer configuration\Preferences\Control Panel Settings\Local Users and Groups

The "Administrators (built-in)" should be added to the list with the "Update" action selected.

view image.


gp.jpg
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:amoos
ID: 33469234
sadfully that is what i have been doing but it is overwritting the entries that are made manually.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33469293
http://www.windowsecurity.com/articles/Using-Restricted-Groups.htmlthis is a small guide.The idea would be e.g. you want to add UserA UserB and UserC to PowerUsers of specific computers and you added UserD and UserE localy to this group.Create a Group called e.g. GRP_PowerUser_Clients add UserA, UserB and UserC to this group.Now create a GPO a restricted group.The group to restrict is GRP_PowerUser_Clients and set "This group is member of" BUILTIN\PowerUser
0
 

Author Comment

by:amoos
ID: 33469356
great link but for some reason the policy is still over writting the groups we manually put in.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33469378
did you wait until the gpo change was replicated to all Domain Controllers?
0
 

Author Comment

by:amoos
ID: 33469386
yes
0
 
LVL 3

Expert Comment

by:meagain35
ID: 33469416
Can you confirm your GPO path is:
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

and not

Computer Configuration\Policies\Windows Settings\Restricted Groups

I also use this policy and do not have this issue of overwriting on gp refreshes. There is a difference between the two. But I use the GPO in Preferences to accomplish.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33469441
The solution from megain is another option never used it yet but it should work as described.--Did you remove the old policy befor adding the new on with the group is member of insted member of group?
0
 

Author Comment

by:amoos
ID: 33469445
i am currently using both.  
0
 

Author Comment

by:amoos
ID: 33469449
this is a completely new policy
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33469459
both restricted groups? Is Member of and Members or GPO and GPP?If you are using both, the Restricted group "Members of group" is enforced
0
 

Author Comment

by:amoos
ID: 33469482
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

and

Computer Configuration\Policies\Windows Settings\Restricted Groups
0
 
LVL 3

Expert Comment

by:meagain35
ID: 33469499
Ah.. well that would explain the conflict... Get rid of the

Computer Configuration\Policies\Windows Settings\Restricted Groups

as this would have preference over the other.

0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33469525
If you are using a "Members of Group" resticted group anywhere for the group you're testing this will enforce this setting.
0
 

Author Comment

by:amoos
ID: 33469550
i must be doing something really wrong because it is still overwritting users that we put in manually
0
 
LVL 3

Expert Comment

by:meagain35
ID: 33469581
run a gpresult /V on the machine and verify that the other policy is not still being applied.... depending on your environment, you may need to wait or force replication on your dc's to be positive.

a gpresult will show you whats being applied to be sure.

0
 

Author Comment

by:amoos
ID: 33469614
when i run the gpresult and then the rsop  it shows that the restricted groups have a red "X" next to them
0
 

Author Comment

by:amoos
ID: 33469617
this is only on windows 7  the groups go through fine and do not overwrite on the XP machines
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33469645
try to reboot the windows 7 machine.If you still have problems enable debug logging for gpo processinghttp://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845%2D88d2%2D4091%2D8088%2Da6bbce0a4304&ID=353
0
 

Author Comment

by:amoos
ID: 33469655
we have rebooted the machines and still get the same result.    i will enable debugging and post again soon
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question