?
Solved

Restricted Groups Policy NOT F-ing Working!!!

Posted on 2011-03-15
4
Medium Priority
?
701 Views
Last Modified: 2012-05-11
I have a Restricted Groups Policy and it adds the right groups to my workstations Local Administratros Group but it does not remove the users that I dont want in there. I thought that this is what it is supposed to do. What is going on here? Thanks
0
Comment
Question by:kulisncc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 35143068
This means that you did not setup the restricted groups in the form that you want.
You have
domain group is a member of builtin\administrators which means this is an append mechanism
For what you want to achieve the GPO should have
Administrators has the following members.
This will flush the builtin-administrators and will replace them with the members.
Prior to making this change, MAKE sure that this GPO does not apply to your Domain Controllers and make sure that domain admins , builtin/administrator, etc accounts are included in the restricted group setting or you will lock yourself out.
0
 

Author Comment

by:kulisncc
ID: 35150508
Okay, I think I understand what you were attempting to clarify above. I appreciate it nontheless though. I did in fact add the Domain Admins to the Restricted Groups policy and made them members of the Local Adminstrators group on each workstation. Are you saying that this configuration is supposed to flush the builtin\Administrators group? Because if that is the case then my GPO should be working. This is not the first time I have created these GPO's and I am not new to GPO's since I have been working with them for quite a few years now (10 years to be exact), but a Win 2K3 DC Global Catalog server went down before I started working with this employer and the last Network Admin simply shoved a Win 2K Server in its place as the acting DC (no Global Catalog). Within the next 3 months I am going to set up two new Dell PowerEdge R610's that I ordered as DC's but until then I just want to get this done. Could the fact that there is no Global Catalog server running be the reason why the builtin\Administrators group is not being flushed?Thanks.
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 35153149
If you have your restricted policy defined as
domainname\administrators member of builtin\administrators
This GPO is an append mode GPO. i.e. whatever the builtin\administrators group has the domainname\administrators is added to it.
To achieve what you want,
you have to start from the builtin\Administrators group and add members the users, groups that should be part of it.  This is the flush mechanism.

The global catalog does not deal with the restricted group GPO.
Did you install GPMC http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en#SystemRequirements and using it to manage the GPOs?
When you look at the detail of the GPO in GPMC, the list of users in the member will indicate that this is a flush i.e. only the following users can be members of this group.  If you have the users/groups listed under the member of option, this is an append option. i.e. this group/user is added to the existing list.

I do not have access to a win2k DC so can not say for sure, but I think it is in the same location.
http://support.microsoft.com/kb/313994
0
 

Author Comment

by:kulisncc
ID: 35158227
I got it. Thanks for your help.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question