Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restricted Group policy

Posted on 2015-01-14
9
Medium Priority
?
101 Views
Last Modified: 2015-01-15
I have a security group in Active Directory called "Local Executives"
I need to create a Restricted group GPO, for Local Administrators group in each PC, so that "Local Executives" group will be member of Local Administrators group in each PC.
 However I do not want to delete the Already existing members of the local administrator group. It is kind of adding instead of removing and adding.

any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 280 total points
ID: 40548463
Then you will need to add the other groups in. If you don't your GPO will overwrite the group. Example.

You have a GPO called localadmins and a new GPO called localexecutives.

localadmins contains the following restricted membership for local admins.

Domain Admins
Workstation Admins
Helpdesk

It is the highest priority GPO on the OU. Your new GPO localexecutives has only the following in the local admin group.

Executive Admins

If you like this GPO at a higher priority than your other GPO it will win based on priority and become the basis for the local admin group removing Domain Admins, Workstation Admins and Helpdesk. So, if you are going to have a new GPO with a separate local admin group membership defined you must include the other groups which are already members as below.

Domain Admins
Workstation Admins
Helpdesk
Executive Admins
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 280 total points
ID: 40548618
jskfan, you need to take a closer look. Restricted groups let's you either define what members the local admin group has (and that will delete all others) or it will let you add that group to local admins regardless of who's already in and non-destructive against those members. There are simply too different sections in the GPO, look at it once more.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 1440 total points
ID: 40548847
If you want to add the Local Executives to each computer's local Administrators group then follow the below steps:

In the Group Policy Management Console, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Right click and select Add Group
Type in DOMAIN\Local Executives in the Add Group window that appears or locate it via the Browse... button
Click Add in the This group is a member of section
Type in Administrators in the Group Membership window > OKOK again
Restricted-Groups.PNG
This will add the Local Executives group to each PC's local Administrators group and keep the group membership in tact.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 56

Expert Comment

by:McKnife
ID: 40548873
Thanks for illustrating my comment, VB ITS :)
0
 

Author Comment

by:jskfan
ID: 40550868
VB ITS

Thanks for the screenshot and the wizard walk through...I want just to make sure I understood the procedure.

So in the screenshot you posted above, there are 2 window panels, if I add "Executive Admins" to the top window then all existing members of the local administrators group in workstations will be deleted except for "Executive Admins" that I have added.

if I add "Executive Admins" to the bottom window,  then existing members of local administrators group will stay there and "Executive Admins" group will be added.

Correct ?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40550898
No, if you add Executive Admins to the box above then the policy will attempt to place Executive Admins in the Executive Admins group. This obviously will not work very well!

If you want to replace the membership of the local Administrators group then you would specify Administrators when you go to create the Restricted Group. See below:
Restricted-Groups---Replace-AdministratoRestricted-Groups---Replace-AdministratoRestricted-Groups---Replace-Administrato
In the above scenario, the Administrators group on each workstation will have the group membership replaced so that DOMAIN\User is the only member of the group.

Hope this makes sense.
0
 

Author Comment

by:jskfan
ID: 40551125
No my Goal is to add Executive Admins Group to Local administrators group on each workstation without deleting the existing members of the local administrators group.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 1440 total points
ID: 40551140
Then please follow the steps in my earlier comment: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28596305.html#a40548847

My previous comment was to try and get you to understand how Restricted Groups work in Group Policy, I apologize for any confusion.

Ignore my previous comment and follow the steps linked above - this will add the Executive Admins group to the local Administrators group on each workstation that the policy is applied to. It will not delete/replace any existing members in the local Administrators group.

I hope this clears it up for you.
0
 

Author Closing Comment

by:jskfan
ID: 40551162
Thank you
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question