Link to home
Start Free TrialLog in
Avatar of scraby
scraby

asked on

group policy overriding local policy

i have some group policies on our domain to allow admins to rdp onto desktops.  this worked fine until i made a few changes to what i thought were unrelated policies.  i occasionally add a user to the local workstation remote desktop user group (lusrmgr.msc).  I also have added domain admin accounts to this local group through group policy and now i've noticed that the users that were added to this group are not there anymore as if group policy replaced the entire member list with the global policy.

is there a way to allow individually added users to this local group to stay along with users added through group policy?
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
You can use "block inheritance" on the OU with the computer or user account is currently in. It is recommened to use "Block inheritance" sparingly as it creates more overhead when processing Group Policy. When you use this a lot in your environment it can get difficult when trying to troubleshoot issue.

http://technet.microsoft.com/en-us/library/cc731076.aspx

Hope this helps
Avatar of ZamZ0
ZamZ0
I think you would need to put those users in a separate OU, something like LocalRDPUsers, with all of their current permissions retained and then link that OU to the rdp GPO you created.
Avatar of scraby
scraby

ASKER

i don't want to block inheritence because i want the gp to allow admin to be able to rdp everywhere.  my problem is that some stations have individuals added to the local remote users group and group policy is erasing these individuals everytime it's applied

if i create a separte ou and link it to the gpo then i'm back in the same place
Avatar of ZamZ0
ZamZ0
Can you make a separate group for Local RDP Admins and put the users who have it locally in that group, eliminating the need to have the GPO applied on their local security policy?
Avatar of ButlerTechnology
ButlerTechnology
Are you using Restricted Groups or preferences for setting the policy?  The Local Users and Group Preference has the option of removing group members before applying the rule.  If you leave that unchecked, it should merge the group membership.  This will keep your group members that are locally assigned and add you admins.

Tom
ASKER CERTIFIED SOLUTION
Avatar of scraby
scraby
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ButlerTechnology
ButlerTechnology
Scraby:

Yes -- this was introduced in 2008 R2 (maybe 2008).  It is a little more flexible than restricted groups.

Tom
Avatar of scraby
scraby

ASKER

nice work, restricted group overwrites any existing members.  funny thing though, when i removed the restricted group policy, all the old local users in the rdp group that had disappeared under restricted group came back.

thanks