Solved

Restricted Group policy

Posted on 2015-01-14
9
91 Views
Last Modified: 2015-01-15
I have a security group in Active Directory called "Local Executives"
I need to create a Restricted group GPO, for Local Administrators group in each PC, so that "Local Executives" group will be member of Local Administrators group in each PC.
 However I do not want to delete the Already existing members of the local administrator group. It is kind of adding instead of removing and adding.

any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 70 total points
Comment Utility
Then you will need to add the other groups in. If you don't your GPO will overwrite the group. Example.

You have a GPO called localadmins and a new GPO called localexecutives.

localadmins contains the following restricted membership for local admins.

Domain Admins
Workstation Admins
Helpdesk

It is the highest priority GPO on the OU. Your new GPO localexecutives has only the following in the local admin group.

Executive Admins

If you like this GPO at a higher priority than your other GPO it will win based on priority and become the basis for the local admin group removing Domain Admins, Workstation Admins and Helpdesk. So, if you are going to have a new GPO with a separate local admin group membership defined you must include the other groups which are already members as below.

Domain Admins
Workstation Admins
Helpdesk
Executive Admins
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 70 total points
Comment Utility
jskfan, you need to take a closer look. Restricted groups let's you either define what members the local admin group has (and that will delete all others) or it will let you add that group to local admins regardless of who's already in and non-destructive against those members. There are simply too different sections in the GPO, look at it once more.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 360 total points
Comment Utility
If you want to add the Local Executives to each computer's local Administrators group then follow the below steps:

In the Group Policy Management Console, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Right click and select Add Group
Type in DOMAIN\Local Executives in the Add Group window that appears or locate it via the Browse... button
Click Add in the This group is a member of section
Type in Administrators in the Group Membership window > OK > OK again
Restricted-Groups.PNG
This will add the Local Executives group to each PC's local Administrators group and keep the group membership in tact.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Thanks for illustrating my comment, VB ITS :)
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:jskfan
Comment Utility
VB ITS

Thanks for the screenshot and the wizard walk through...I want just to make sure I understood the procedure.

So in the screenshot you posted above, there are 2 window panels, if I add "Executive Admins" to the top window then all existing members of the local administrators group in workstations will be deleted except for "Executive Admins" that I have added.

if I add "Executive Admins" to the bottom window,  then existing members of local administrators group will stay there and "Executive Admins" group will be added.

Correct ?
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
No, if you add Executive Admins to the box above then the policy will attempt to place Executive Admins in the Executive Admins group. This obviously will not work very well!

If you want to replace the membership of the local Administrators group then you would specify Administrators when you go to create the Restricted Group. See below:
Restricted-Groups---Replace-AdministratoRestricted-Groups---Replace-AdministratoRestricted-Groups---Replace-Administrato
In the above scenario, the Administrators group on each workstation will have the group membership replaced so that DOMAIN\User is the only member of the group.

Hope this makes sense.
0
 

Author Comment

by:jskfan
Comment Utility
No my Goal is to add Executive Admins Group to Local administrators group on each workstation without deleting the existing members of the local administrators group.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 360 total points
Comment Utility
Then please follow the steps in my earlier comment: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28596305.html#a40548847

My previous comment was to try and get you to understand how Restricted Groups work in Group Policy, I apologize for any confusion.

Ignore my previous comment and follow the steps linked above - this will add the Executive Admins group to the local Administrators group on each workstation that the policy is applied to. It will not delete/replace any existing members in the local Administrators group.

I hope this clears it up for you.
0
 

Author Closing Comment

by:jskfan
Comment Utility
Thank you
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now