Restricted Groups Policy NOT F-ing Working!!!

I have a Restricted Groups Policy and it adds the right groups to my workstations Local Administratros Group but it does not remove the users that I dont want in there. I thought that this is what it is supposed to do. What is going on here? Thanks
kulisnccAsked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
If you have your restricted policy defined as
domainname\administrators member of builtin\administrators
This GPO is an append mode GPO. i.e. whatever the builtin\administrators group has the domainname\administrators is added to it.
To achieve what you want,
you have to start from the builtin\Administrators group and add members the users, groups that should be part of it.  This is the flush mechanism.

The global catalog does not deal with the restricted group GPO.
Did you install GPMC http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en#SystemRequirements and using it to manage the GPOs?
When you look at the detail of the GPO in GPMC, the list of users in the member will indicate that this is a flush i.e. only the following users can be members of this group.  If you have the users/groups listed under the member of option, this is an append option. i.e. this group/user is added to the existing list.

I do not have access to a win2k DC so can not say for sure, but I think it is in the same location.
http://support.microsoft.com/kb/313994
0
 
arnoldCommented:
This means that you did not setup the restricted groups in the form that you want.
You have
domain group is a member of builtin\administrators which means this is an append mechanism
For what you want to achieve the GPO should have
Administrators has the following members.
This will flush the builtin-administrators and will replace them with the members.
Prior to making this change, MAKE sure that this GPO does not apply to your Domain Controllers and make sure that domain admins , builtin/administrator, etc accounts are included in the restricted group setting or you will lock yourself out.
0
 
kulisnccAuthor Commented:
Okay, I think I understand what you were attempting to clarify above. I appreciate it nontheless though. I did in fact add the Domain Admins to the Restricted Groups policy and made them members of the Local Adminstrators group on each workstation. Are you saying that this configuration is supposed to flush the builtin\Administrators group? Because if that is the case then my GPO should be working. This is not the first time I have created these GPO's and I am not new to GPO's since I have been working with them for quite a few years now (10 years to be exact), but a Win 2K3 DC Global Catalog server went down before I started working with this employer and the last Network Admin simply shoved a Win 2K Server in its place as the acting DC (no Global Catalog). Within the next 3 months I am going to set up two new Dell PowerEdge R610's that I ordered as DC's but until then I just want to get this done. Could the fact that there is no Global Catalog server running be the reason why the builtin\Administrators group is not being flushed?Thanks.
0
 
kulisnccAuthor Commented:
I got it. Thanks for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.