Solved

Restricted Groups Policy NOT F-ing Working!!!

Posted on 2011-03-15
4
675 Views
Last Modified: 2012-05-11
I have a Restricted Groups Policy and it adds the right groups to my workstations Local Administratros Group but it does not remove the users that I dont want in there. I thought that this is what it is supposed to do. What is going on here? Thanks
0
Comment
Question by:kulisncc
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 35143068
This means that you did not setup the restricted groups in the form that you want.
You have
domain group is a member of builtin\administrators which means this is an append mechanism
For what you want to achieve the GPO should have
Administrators has the following members.
This will flush the builtin-administrators and will replace them with the members.
Prior to making this change, MAKE sure that this GPO does not apply to your Domain Controllers and make sure that domain admins , builtin/administrator, etc accounts are included in the restricted group setting or you will lock yourself out.
0
 

Author Comment

by:kulisncc
ID: 35150508
Okay, I think I understand what you were attempting to clarify above. I appreciate it nontheless though. I did in fact add the Domain Admins to the Restricted Groups policy and made them members of the Local Adminstrators group on each workstation. Are you saying that this configuration is supposed to flush the builtin\Administrators group? Because if that is the case then my GPO should be working. This is not the first time I have created these GPO's and I am not new to GPO's since I have been working with them for quite a few years now (10 years to be exact), but a Win 2K3 DC Global Catalog server went down before I started working with this employer and the last Network Admin simply shoved a Win 2K Server in its place as the acting DC (no Global Catalog). Within the next 3 months I am going to set up two new Dell PowerEdge R610's that I ordered as DC's but until then I just want to get this done. Could the fact that there is no Global Catalog server running be the reason why the builtin\Administrators group is not being flushed?Thanks.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 35153149
If you have your restricted policy defined as
domainname\administrators member of builtin\administrators
This GPO is an append mode GPO. i.e. whatever the builtin\administrators group has the domainname\administrators is added to it.
To achieve what you want,
you have to start from the builtin\Administrators group and add members the users, groups that should be part of it.  This is the flush mechanism.

The global catalog does not deal with the restricted group GPO.
Did you install GPMC http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en#SystemRequirements and using it to manage the GPOs?
When you look at the detail of the GPO in GPMC, the list of users in the member will indicate that this is a flush i.e. only the following users can be members of this group.  If you have the users/groups listed under the member of option, this is an append option. i.e. this group/user is added to the existing list.

I do not have access to a win2k DC so can not say for sure, but I think it is in the same location.
http://support.microsoft.com/kb/313994
0
 

Author Comment

by:kulisncc
ID: 35158227
I got it. Thanks for your help.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now