how to fixed restricted groups in group policy on server 2008??

we are running server 2008 domain and we need to apply restricted groups to our computers.  we are running an XP/windows 7 enviornment.  when we configure restricted groups in the policy it is overwritting any thing we manually put onto the local users and computers.  

for example if i add domain admins to the computer manually it saves and then when the group policy runs it overwrites that entry.  how do i stop this??
amoosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SGrossmannCommented:
This behaviour is by design.The only chance to change this is to greate a group within active directory and configure resticted groups to add this group to other gorups, then it keeps local configured settings.If you set the members of a group by restricted groups these settings are enforced every time the GPO is applied.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amoosAuthor Commented:
ok.  then can you give me an example of what policy i would have to make for this?
0
meagain35Commented:
Server 2008, this policy should allow you to "Update" the group.

Computer configuration\Preferences\Control Panel Settings\Local Users and Groups

The "Administrators (built-in)" should be added to the list with the "Update" action selected.

view image.


gp.jpg
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

amoosAuthor Commented:
sadfully that is what i have been doing but it is overwritting the entries that are made manually.
0
SGrossmannCommented:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.htmlthis is a small guide.The idea would be e.g. you want to add UserA UserB and UserC to PowerUsers of specific computers and you added UserD and UserE localy to this group.Create a Group called e.g. GRP_PowerUser_Clients add UserA, UserB and UserC to this group.Now create a GPO a restricted group.The group to restrict is GRP_PowerUser_Clients and set "This group is member of" BUILTIN\PowerUser
0
amoosAuthor Commented:
great link but for some reason the policy is still over writting the groups we manually put in.
0
SGrossmannCommented:
did you wait until the gpo change was replicated to all Domain Controllers?
0
amoosAuthor Commented:
yes
0
meagain35Commented:
Can you confirm your GPO path is:
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

and not

Computer Configuration\Policies\Windows Settings\Restricted Groups

I also use this policy and do not have this issue of overwriting on gp refreshes. There is a difference between the two. But I use the GPO in Preferences to accomplish.
0
SGrossmannCommented:
The solution from megain is another option never used it yet but it should work as described.--Did you remove the old policy befor adding the new on with the group is member of insted member of group?
0
amoosAuthor Commented:
i am currently using both.  
0
amoosAuthor Commented:
this is a completely new policy
0
SGrossmannCommented:
both restricted groups? Is Member of and Members or GPO and GPP?If you are using both, the Restricted group "Members of group" is enforced
0
amoosAuthor Commented:
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

and

Computer Configuration\Policies\Windows Settings\Restricted Groups
0
meagain35Commented:
Ah.. well that would explain the conflict... Get rid of the

Computer Configuration\Policies\Windows Settings\Restricted Groups

as this would have preference over the other.

0
SGrossmannCommented:
If you are using a "Members of Group" resticted group anywhere for the group you're testing this will enforce this setting.
0
amoosAuthor Commented:
i must be doing something really wrong because it is still overwritting users that we put in manually
0
meagain35Commented:
run a gpresult /V on the machine and verify that the other policy is not still being applied.... depending on your environment, you may need to wait or force replication on your dc's to be positive.

a gpresult will show you whats being applied to be sure.

0
amoosAuthor Commented:
when i run the gpresult and then the rsop  it shows that the restricted groups have a red "X" next to them
0
amoosAuthor Commented:
this is only on windows 7  the groups go through fine and do not overwrite on the XP machines
0
SGrossmannCommented:
try to reboot the windows 7 machine.If you still have problems enable debug logging for gpo processinghttp://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845%2D88d2%2D4091%2D8088%2Da6bbce0a4304&ID=353
0
amoosAuthor Commented:
we have rebooted the machines and still get the same result.    i will enable debugging and post again soon
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.