How do Restricted Groups work within multiple GPOs?
Posted on 2010-08-31
Let's say an OU has two GPOs applied to it. One at that level, one from a parent.
If parentGPO contains three groups that have restricted groups with members, how are restricted groups in the childGPO handled? For example:
1. If I add only one restricted group to that childGPO, does it add that restricted group to the total list of restricted groups (and replace any in the parentGPO if they match)?
2. Or does it replace the list of restricted groups for all computers in that childOU and below with only the list in the childGPO?
Lastly, are restrictued groups basically the list of groups that are local to a PC that you want to control the membership of? What happens in the case of matching names? For example we want to control via restricted groups who can RDP to the member workstations and servers, but also control who can RDP to the domain controllers. I realize under User Rights I can specify groups or users individually, but I was hoping to just use groups and then use group membership to further manage who has that right. In the case of Remote Desktop Users, this is a domain group as well as the name for the local PC group.