Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Restricted Groups Policy NOT F-ing Working!!!

Posted on 2011-03-15
4
684 Views
Last Modified: 2012-05-11
I have a Restricted Groups Policy and it adds the right groups to my workstations Local Administratros Group but it does not remove the users that I dont want in there. I thought that this is what it is supposed to do. What is going on here? Thanks
0
Comment
Question by:kulisncc
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 35143068
This means that you did not setup the restricted groups in the form that you want.
You have
domain group is a member of builtin\administrators which means this is an append mechanism
For what you want to achieve the GPO should have
Administrators has the following members.
This will flush the builtin-administrators and will replace them with the members.
Prior to making this change, MAKE sure that this GPO does not apply to your Domain Controllers and make sure that domain admins , builtin/administrator, etc accounts are included in the restricted group setting or you will lock yourself out.
0
 

Author Comment

by:kulisncc
ID: 35150508
Okay, I think I understand what you were attempting to clarify above. I appreciate it nontheless though. I did in fact add the Domain Admins to the Restricted Groups policy and made them members of the Local Adminstrators group on each workstation. Are you saying that this configuration is supposed to flush the builtin\Administrators group? Because if that is the case then my GPO should be working. This is not the first time I have created these GPO's and I am not new to GPO's since I have been working with them for quite a few years now (10 years to be exact), but a Win 2K3 DC Global Catalog server went down before I started working with this employer and the last Network Admin simply shoved a Win 2K Server in its place as the acting DC (no Global Catalog). Within the next 3 months I am going to set up two new Dell PowerEdge R610's that I ordered as DC's but until then I just want to get this done. Could the fact that there is no Global Catalog server running be the reason why the builtin\Administrators group is not being flushed?Thanks.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 35153149
If you have your restricted policy defined as
domainname\administrators member of builtin\administrators
This GPO is an append mode GPO. i.e. whatever the builtin\administrators group has the domainname\administrators is added to it.
To achieve what you want,
you have to start from the builtin\Administrators group and add members the users, groups that should be part of it.  This is the flush mechanism.

The global catalog does not deal with the restricted group GPO.
Did you install GPMC http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en#SystemRequirements and using it to manage the GPOs?
When you look at the detail of the GPO in GPMC, the list of users in the member will indicate that this is a flush i.e. only the following users can be members of this group.  If you have the users/groups listed under the member of option, this is an append option. i.e. this group/user is added to the existing list.

I do not have access to a win2k DC so can not say for sure, but I think it is in the same location.
http://support.microsoft.com/kb/313994
0
 

Author Comment

by:kulisncc
ID: 35158227
I got it. Thanks for your help.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup Windows Server 2012 as a Domain 4 69
Enable IIS Logging via GPO 4 96
JItbit AD intergration 4 97
Permanently disable Server 2012 hiberfil.sys file 3 127
Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
Learn how ViaSat reduced average response times for IT incidents from 10 minutes to 30 seconds.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question