Solved

How do Restricted Groups work within multiple GPOs?

Posted on 2010-08-31
3
1,515 Views
Last Modified: 2012-05-10
Let's say an OU has two GPOs applied to it. One at that level, one from a parent.

If parentGPO contains three groups that have restricted groups with members, how are restricted groups in the childGPO handled? For example:

1. If I add only one restricted group to that childGPO, does it add that restricted group to the total list of restricted groups (and replace any in the parentGPO if they match)?
2. Or does it replace the list of restricted groups for all computers in that childOU and below with only the list in the childGPO?

Lastly, are restrictued groups basically the list of groups that are local to a PC that you want to control the membership of? What happens in the case of matching names? For example we want to control via restricted groups who can RDP to the member workstations and servers, but also control who can RDP to the domain controllers. I realize under User Rights I can specify groups or users individually, but I was hoping to just use groups and then use group membership to further manage who has that right. In the case of Remote Desktop Users, this is a domain group as well as the name for the local PC group.

Thanks!
0
Comment
Question by:MrSampsonite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33569066
So for those not familiar with restricted groups see
http://www.frickelsoft.net/blog/?p=13
If you use the top box "memboers of this group"  that will wipe what is there and replace it with what you define.   So the GPO that would take precedence is at the OU level (childGPO would win in your example and that is what would be defined)
If  you use the bottom box "this group is a memberof" then it would be cumulative meaning that what you added in parentGPO would be there and the groups defined in childGPO would also be added....non destructive
As far as restricted groups for domain group membership on a DC...not supported
http://support.microsoft.com/kb/279301 
Managing membership of Domain Groups by using Restricted Groups

Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
 Thanks
Mike
0
 

Author Comment

by:MrSampsonite
ID: 33569646
Thanks. That explains how it works for one GPO, but it doesn't really answer how the two GPOs would result in. If I add a group to be a member of a local group in the GPO and then add another group in a subOU GPO (childGPO), will that group get added as well as the one from the parentGPO or will only that group from the childGPO be added to the local group on the PC?

Likewise what would happen if you set the list of users who are members of this local group at one level and then at a childGPO level? I realize from the blog that the GPOs would wipe out any settings at the local PC level for members, but will the childGPO wipe out the parent settings too or will both merge and push down? I'm guessing the childGPO wipes it out, otherwise how would a childOU of computer objects be able to force only certain members for that group if a parentGPO's members were being added.

Last question is this:

When adding the Remote Desktop Users group to the restricted group list, how do you make sure you're adding the local group for each PC and not the domain group with the same name?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 500 total points
ID: 33569793
Yes if you use the bottom box the groups you define in all the GPOs will all be added. (parent and child GPOs)

The second one the child would win and wipe out all the parent members (haven't tested that, I have tested the first scenario and that is what we do in our domain)

when you select the group use computername\group
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question