• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1293
  • Last Modified:

How to reverse a restricted groups group policy

I created and deployed a group policy that made all domain users part of the local admin group of whichever PC they logged in to. We have decided to reverse this. I unlinked the GPO from the Computers container, however, the setting still remains on the clients, even after a gpupdate /force, reboot, etc. How can I reverse this policy without having to manually configure each client PC? Thanks!
0
tcianflone
Asked:
tcianflone
  • 7
  • 3
1 Solution
 
ThinkPaperIT ConsultantCommented:
You can't just unlink it. You need to re-specify the Restricted Groups for Administrators in the group policy you changed. My suggestion is you copy the policy you had before (rename it accordingly) and change the settings to below and apply it.

i.e.

Before - Administrators: Domain Users, Domain Admins, Builtin/Administrators

After - Administrators: Domain Admins, Builtin/Administrators (you basically just remove Domain Users)
0
 
tcianfloneAuthor Commented:
Here's the actual way I did it:
Computer Configuration, Policies, Windows Settings, Security Settings, Restricted Groups. Then I added the group domainname/domain users. Then made that group a member of Administrators.

Given that description of the actual policy I am trying to reverse, can you clarify the method to reverse? Thanks.
0
 
ThinkPaperIT ConsultantCommented:
Go to Computer Configuration, Policies, Windows Settings, Security Settings, Restricted Groups.

Instead of setting domain Users as member of Administrators, set "BUILTIN/Administrators" and "Domain Administrators" as members of Administrators.

Remove Domain Users from that membership!!!

By doing that, you are basically resetting (overwriting) who is Local admins of the workstations to "Domain Admins" and "Local Admin" accounts only. So Domain Users are no longer administrators of the box.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
tcianfloneAuthor Commented:
Can't see how to differentiate between Builtin/Administrators and the local administrators group. The GUI can't find any permutation of Builtin/Administrators that I try.
0
 
tcianfloneAuthor Commented:
See attached graphic for where I'm at right now. Thanks.
capture.png
0
 
tcianfloneAuthor Commented:
As I said in my last post, there is no Built-In Administrators in the GUI, it's just Administrators. If you drill down the AD object finder eventually you'll see it listed as Built-In. So, if you look at the graphic I posted, that's what it should look like. I linked the updated GPO, did a gpupdate from one of the clients, restarted and the Domain Users were NO LONGER members of the local Administrators group. That's what I was looking for. Thanks.
0
 
ThinkPaperIT ConsultantCommented:
FYI The "Builtin/Adminstrators" is something you just type in manually (you will not see it if you try to just "browse" for accounts) and that would include any local administrators specified manually on the computer. Builtin Admins ARE Local Admins, so the only reason I specified that as part of the Administrators group is to make sure that we include any local admins that were added manually and did not accidentally exclude it.

BTW.. you are not doing it exactly right as you are NOT specifying any members for the group.. you need to specify members for the Admin group. and you only need to set 1 restricted group:

Group Name: Administrators

Members: Domain\Domain Admins, BUILTIN\Administrators

Member of: Administrators
0
 
tcianfloneAuthor Commented:
Here's how I have it now. Please let me know if this is correct. Thank you.
capture2.png
0
 
tcianfloneAuthor Commented:
Sorry to tell you, but set up this way, users still are able to install/uninstall software, and also ADD themselves as members of the local admin group! The way I had it before, it restricted what users were able to do. Please check my most recent graphic and let me know if it's the way you intended it to be set up. Something is definitely not right now that I've changed it.
0
 
tcianfloneAuthor Commented:
Oops! My bad. I am reversing the above comment. Turns out the user machines I was working on had their accounts as part of the domain admins group! Once I took them out of there, things starting behaving correctly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now