Local Admin GPO & Domain Administrators Group

This may take a bit to explain so bear with me here.

My journey started with moving to Exchange 2010 and wanting to have direct push still work on my phone. In order for direct push to work, under the advanced settings in AD, in the security tab->advanced I must have "Allow Inheritable permissions..." checked. However, if you're a domain admin you cannot have this, the system automatically unchecks that. As a result, I had to remove myself from domain admins and act as a normal user like MS wants us all to do.

I quickly found out,I couldn't manage users like I needed to because I was no longer a local admin on their machines or on the servers. So, I created a Restricted Group setting in the Group Policies that added a group called "IT Admins" to "Administrators" in the group policy. I did this on the whole domain and not just the container for the workstations because I wanted to be the local admin on servers as well.

When I did this, I notice after the GPO has propagated to everyone, the group "IT Admins" is now also in the builtin\Administrators group on the domain. As a result, My personal user through trickle-down has the "Allow Inheritable permissions..." checkbox turned off.

Now, after a week of this setting, I am still getting push e-mail just fine, so far. However, I'm curious how to stop the "IT Admins" user from being put in the domain "Administrators" group. I only want it in the local. Is it because I have the GPO applied to the whole domain and thus the AD servers who don't have local groups simply add it to the domain administrators group?
cmaohioSenior Systems ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmm.  I'm a domain admin, I'm running Exchange 2010, and I'm getting push email just fine on my iPhone via ActiveSync.  I did not create a special group or account for myself.

Having said that, this issue sounds familiar to me, and perhaps it's one we solved awhile back and I'm forgetting, but I certainly don't remember going through all the trouble you're describing.

How's that for useless help?  :)  I'll rack my brain a bit more to see if I can figure out why mine is working.
I think this is helpful, and sounds like a much simpler solution, but it assumes you're ok with going against MS's "best practices" and leaving yourself as a Domain Admin.
Mike KlineCommented:
You could apply it at the OU level (s).  If you want the GPO to not apply to a group of computers you can also use security flitering   http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

Create a group and place the machines in that group and deny read access.

Do you have servers and workstations in their own OU.  I'd probably link there if that is how it is setup.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cmaohioSenior Systems ManagerAuthor Commented:
jaustin1, yeah, the link you sent is more than I'd want to do. that messes with areas I probably shouldn't be messing with.

mkline71, I was considering doing that and then simply adding manually the "IT Admins" group to the local administrators groups of the servers. (all except the AD Servers) that may "fix" it. Yes, the workstations are in another OU from the servers.

I will try that and see if it helps.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.