group policy overriding local policy

i have some group policies on our domain to allow admins to rdp onto desktops.  this worked fine until i made a few changes to what i thought were unrelated policies.  i occasionally add a user to the local workstation remote desktop user group (lusrmgr.msc).  I also have added domain admin accounts to this local group through group policy and now i've noticed that the users that were added to this group are not there anymore as if group policy replaced the entire member list with the global policy.

is there a way to allow individually added users to this local group to stay along with users added through group policy?
LVL 7
scrabyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You can use "block inheritance" on the OU with the computer or user account is currently in. It is recommened to use "Block inheritance" sparingly as it creates more overhead when processing Group Policy. When you use this a lot in your environment it can get difficult when trying to troubleshoot issue.

http://technet.microsoft.com/en-us/library/cc731076.aspx

Hope this helps
0
ZamZ0Commented:
I think you would need to put those users in a separate OU, something like LocalRDPUsers, with all of their current permissions retained and then link that OU to the rdp GPO you created.
0
scrabyAuthor Commented:
i don't want to block inheritence because i want the gp to allow admin to be able to rdp everywhere.  my problem is that some stations have individuals added to the local remote users group and group policy is erasing these individuals everytime it's applied

if i create a separte ou and link it to the gpo then i'm back in the same place
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ZamZ0Commented:
Can you make a separate group for Local RDP Admins and put the users who have it locally in that group, eliminating the need to have the GPO applied on their local security policy?
0
ButlerTechnologyCommented:
Are you using Restricted Groups or preferences for setting the policy?  The Local Users and Group Preference has the option of removing group members before applying the rule.  If you leave that unchecked, it should merge the group membership.  This will keep your group members that are locally assigned and add you admins.

Tom
0
scrabyAuthor Commented:
ButlerTechnology
I'm using:
computer config > policies > windows settings > security settings > restricted groups

is the local users and group that you're referring to under
computer config > preferences > control panel settings > Local Users and Groups ?

so you're saying to add my admins through local users and groups instead of restricted groups?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ButlerTechnologyCommented:
Scraby:

Yes -- this was introduced in 2008 R2 (maybe 2008).  It is a little more flexible than restricted groups.

Tom
0
scrabyAuthor Commented:
nice work, restricted group overwrites any existing members.  funny thing though, when i removed the restricted group policy, all the old local users in the rdp group that had disappeared under restricted group came back.

thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.