• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 710
  • Last Modified:

Restricted Groups Policy NOT F-ing Working!!!

I have a Restricted Groups Policy and it adds the right groups to my workstations Local Administratros Group but it does not remove the users that I dont want in there. I thought that this is what it is supposed to do. What is going on here? Thanks
0
kulisncc
Asked:
kulisncc
  • 2
  • 2
1 Solution
 
arnoldCommented:
This means that you did not setup the restricted groups in the form that you want.
You have
domain group is a member of builtin\administrators which means this is an append mechanism
For what you want to achieve the GPO should have
Administrators has the following members.
This will flush the builtin-administrators and will replace them with the members.
Prior to making this change, MAKE sure that this GPO does not apply to your Domain Controllers and make sure that domain admins , builtin/administrator, etc accounts are included in the restricted group setting or you will lock yourself out.
0
 
kulisnccAuthor Commented:
Okay, I think I understand what you were attempting to clarify above. I appreciate it nontheless though. I did in fact add the Domain Admins to the Restricted Groups policy and made them members of the Local Adminstrators group on each workstation. Are you saying that this configuration is supposed to flush the builtin\Administrators group? Because if that is the case then my GPO should be working. This is not the first time I have created these GPO's and I am not new to GPO's since I have been working with them for quite a few years now (10 years to be exact), but a Win 2K3 DC Global Catalog server went down before I started working with this employer and the last Network Admin simply shoved a Win 2K Server in its place as the acting DC (no Global Catalog). Within the next 3 months I am going to set up two new Dell PowerEdge R610's that I ordered as DC's but until then I just want to get this done. Could the fact that there is no Global Catalog server running be the reason why the builtin\Administrators group is not being flushed?Thanks.
0
 
arnoldCommented:
If you have your restricted policy defined as
domainname\administrators member of builtin\administrators
This GPO is an append mode GPO. i.e. whatever the builtin\administrators group has the domainname\administrators is added to it.
To achieve what you want,
you have to start from the builtin\Administrators group and add members the users, groups that should be part of it.  This is the flush mechanism.

The global catalog does not deal with the restricted group GPO.
Did you install GPMC http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en#SystemRequirements and using it to manage the GPOs?
When you look at the detail of the GPO in GPMC, the list of users in the member will indicate that this is a flush i.e. only the following users can be members of this group.  If you have the users/groups listed under the member of option, this is an append option. i.e. this group/user is added to the existing list.

I do not have access to a win2k DC so can not say for sure, but I think it is in the same location.
http://support.microsoft.com/kb/313994
0
 
kulisnccAuthor Commented:
I got it. Thanks for your help.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now