Restricted Groups Problem

Greetings,

I am working with WIN2008 Enterprise active directory.

I recently wanted to make one regular domain user a local admin on certain workstations and I did accomplish that by using Restricted Groups.

The thing now is, I want one more local admin to help the first one. But I did not want the new one to be added to the same Restricted Group which the first one is in.

I went on and made another GPO and named it 2ndlocaladmin and went to Restricted Groups and added a group and named it Administrators inside. And then went to its properties and I added that new domain user to this newly created group.

When I went on to link this GPO to the workstations group wanted, nothing happend.

Neither the domain admin nor the new GPO worked and I had to remove the GPO.

Is there a problem for having two different Restricted Groups GPOs in the same domain, knowing that the two are not applied to the same computers "workstations" group > meaning is that the two are not linked to the same computers group at the same time, each one is linked to a different computers group.

And what could it be that am doing wrong here?

Thank you
ksssgAsked:
Who is Participating?
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
I would suggest to remove Restricted Groups GPO and use Group Policy Preferences (GPP) for that. It's much more easy in use and it's newer option since 2008/Win7

More about this method at
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

If you need to apply GPP to XP/2003 clients, you need to install Client Side Extension (CSE), first. It can be downloaded from

for XP
http://www.microsoft.com/download/en/details.aspx?id=3628

for 2003
http://www.microsoft.com/download/en/details.aspx?id=6955

or you can push this update from WSUS.

Regards,
Krzysztof
0
 
ksssgAuthor Commented:
I LOVE YOU iSiek, I LOVE YOU SO MUCH lol. You see, the second I see your nickname I just know I will find an answer, and not any answer, the absolute ONE good answer there lol.

Yep, a True Genius

Thank you so much
0
 
ksssgAuthor Commented:
What can I say, iSiek is a Genius!.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Thank you for compliment :)

Krzysztof
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.