Solved

How to reverse a restricted groups group policy

Posted on 2013-06-13
10
1,130 Views
Last Modified: 2013-06-27
I created and deployed a group policy that made all domain users part of the local admin group of whichever PC they logged in to. We have decided to reverse this. I unlinked the GPO from the Computers container, however, the setting still remains on the clients, even after a gpupdate /force, reboot, etc. How can I reverse this policy without having to manually configure each client PC? Thanks!
0
Comment
Question by:tcianflone
  • 7
  • 3
10 Comments
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39244867
You can't just unlink it. You need to re-specify the Restricted Groups for Administrators in the group policy you changed. My suggestion is you copy the policy you had before (rename it accordingly) and change the settings to below and apply it.

i.e.

Before - Administrators: Domain Users, Domain Admins, Builtin/Administrators

After - Administrators: Domain Admins, Builtin/Administrators (you basically just remove Domain Users)
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39244901
Here's the actual way I did it:
Computer Configuration, Policies, Windows Settings, Security Settings, Restricted Groups. Then I added the group domainname/domain users. Then made that group a member of Administrators.

Given that description of the actual policy I am trying to reverse, can you clarify the method to reverse? Thanks.
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 300 total points
ID: 39245259
Go to Computer Configuration, Policies, Windows Settings, Security Settings, Restricted Groups.

Instead of setting domain Users as member of Administrators, set "BUILTIN/Administrators" and "Domain Administrators" as members of Administrators.

Remove Domain Users from that membership!!!

By doing that, you are basically resetting (overwriting) who is Local admins of the workstations to "Domain Admins" and "Local Admin" accounts only. So Domain Users are no longer administrators of the box.
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39245335
Can't see how to differentiate between Builtin/Administrators and the local administrators group. The GUI can't find any permutation of Builtin/Administrators that I try.
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39245342
See attached graphic for where I'm at right now. Thanks.
capture.png
0
 
LVL 1

Author Closing Comment

by:tcianflone
ID: 39281496
As I said in my last post, there is no Built-In Administrators in the GUI, it's just Administrators. If you drill down the AD object finder eventually you'll see it listed as Built-In. So, if you look at the graphic I posted, that's what it should look like. I linked the updated GPO, did a gpupdate from one of the clients, restarted and the Domain Users were NO LONGER members of the local Administrators group. That's what I was looking for. Thanks.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39282023
FYI The "Builtin/Adminstrators" is something you just type in manually (you will not see it if you try to just "browse" for accounts) and that would include any local administrators specified manually on the computer. Builtin Admins ARE Local Admins, so the only reason I specified that as part of the Administrators group is to make sure that we include any local admins that were added manually and did not accidentally exclude it.

BTW.. you are not doing it exactly right as you are NOT specifying any members for the group.. you need to specify members for the Admin group. and you only need to set 1 restricted group:

Group Name: Administrators

Members: Domain\Domain Admins, BUILTIN\Administrators

Member of: Administrators
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39282248
Here's how I have it now. Please let me know if this is correct. Thank you.
capture2.png
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39282362
Sorry to tell you, but set up this way, users still are able to install/uninstall software, and also ADD themselves as members of the local admin group! The way I had it before, it restricted what users were able to do. Please check my most recent graphic and let me know if it's the way you intended it to be set up. Something is definitely not right now that I've changed it.
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39282596
Oops! My bad. I am reversing the above comment. Turns out the user machines I was working on had their accounts as part of the domain admins group! Once I took them out of there, things starting behaving correctly.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now