Link to home
Start Free TrialLog in
Avatar of MrSampsonite
MrSampsonite

asked on

How do Restricted Groups work within multiple GPOs?

Let's say an OU has two GPOs applied to it. One at that level, one from a parent.

If parentGPO contains three groups that have restricted groups with members, how are restricted groups in the childGPO handled? For example:

1. If I add only one restricted group to that childGPO, does it add that restricted group to the total list of restricted groups (and replace any in the parentGPO if they match)?
2. Or does it replace the list of restricted groups for all computers in that childOU and below with only the list in the childGPO?

Lastly, are restrictued groups basically the list of groups that are local to a PC that you want to control the membership of? What happens in the case of matching names? For example we want to control via restricted groups who can RDP to the member workstations and servers, but also control who can RDP to the domain controllers. I realize under User Rights I can specify groups or users individually, but I was hoping to just use groups and then use group membership to further manage who has that right. In the case of Remote Desktop Users, this is a domain group as well as the name for the local PC group.

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MrSampsonite
MrSampsonite

ASKER

Thanks. That explains how it works for one GPO, but it doesn't really answer how the two GPOs would result in. If I add a group to be a member of a local group in the GPO and then add another group in a subOU GPO (childGPO), will that group get added as well as the one from the parentGPO or will only that group from the childGPO be added to the local group on the PC?

Likewise what would happen if you set the list of users who are members of this local group at one level and then at a childGPO level? I realize from the blog that the GPOs would wipe out any settings at the local PC level for members, but will the childGPO wipe out the parent settings too or will both merge and push down? I'm guessing the childGPO wipes it out, otherwise how would a childOU of computer objects be able to force only certain members for that group if a parentGPO's members were being added.

Last question is this:

When adding the Remote Desktop Users group to the restricted group list, how do you make sure you're adding the local group for each PC and not the domain group with the same name?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial