Solved

Restricted Group policy

Posted on 2015-01-14
9
95 Views
Last Modified: 2015-01-15
I have a security group in Active Directory called "Local Executives"
I need to create a Restricted group GPO, for Local Administrators group in each PC, so that "Local Executives" group will be member of Local Administrators group in each PC.
 However I do not want to delete the Already existing members of the local administrator group. It is kind of adding instead of removing and adding.

any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 70 total points
ID: 40548463
Then you will need to add the other groups in. If you don't your GPO will overwrite the group. Example.

You have a GPO called localadmins and a new GPO called localexecutives.

localadmins contains the following restricted membership for local admins.

Domain Admins
Workstation Admins
Helpdesk

It is the highest priority GPO on the OU. Your new GPO localexecutives has only the following in the local admin group.

Executive Admins

If you like this GPO at a higher priority than your other GPO it will win based on priority and become the basis for the local admin group removing Domain Admins, Workstation Admins and Helpdesk. So, if you are going to have a new GPO with a separate local admin group membership defined you must include the other groups which are already members as below.

Domain Admins
Workstation Admins
Helpdesk
Executive Admins
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 70 total points
ID: 40548618
jskfan, you need to take a closer look. Restricted groups let's you either define what members the local admin group has (and that will delete all others) or it will let you add that group to local admins regardless of who's already in and non-destructive against those members. There are simply too different sections in the GPO, look at it once more.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 360 total points
ID: 40548847
If you want to add the Local Executives to each computer's local Administrators group then follow the below steps:

In the Group Policy Management Console, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Right click and select Add Group
Type in DOMAIN\Local Executives in the Add Group window that appears or locate it via the Browse... button
Click Add in the This group is a member of section
Type in Administrators in the Group Membership window > OKOK again
Restricted-Groups.PNG
This will add the Local Executives group to each PC's local Administrators group and keep the group membership in tact.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 54

Expert Comment

by:McKnife
ID: 40548873
Thanks for illustrating my comment, VB ITS :)
0
 

Author Comment

by:jskfan
ID: 40550868
VB ITS

Thanks for the screenshot and the wizard walk through...I want just to make sure I understood the procedure.

So in the screenshot you posted above, there are 2 window panels, if I add "Executive Admins" to the top window then all existing members of the local administrators group in workstations will be deleted except for "Executive Admins" that I have added.

if I add "Executive Admins" to the bottom window,  then existing members of local administrators group will stay there and "Executive Admins" group will be added.

Correct ?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40550898
No, if you add Executive Admins to the box above then the policy will attempt to place Executive Admins in the Executive Admins group. This obviously will not work very well!

If you want to replace the membership of the local Administrators group then you would specify Administrators when you go to create the Restricted Group. See below:
Restricted-Groups---Replace-AdministratoRestricted-Groups---Replace-AdministratoRestricted-Groups---Replace-Administrato
In the above scenario, the Administrators group on each workstation will have the group membership replaced so that DOMAIN\User is the only member of the group.

Hope this makes sense.
0
 

Author Comment

by:jskfan
ID: 40551125
No my Goal is to add Executive Admins Group to Local administrators group on each workstation without deleting the existing members of the local administrators group.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 360 total points
ID: 40551140
Then please follow the steps in my earlier comment: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28596305.html#a40548847

My previous comment was to try and get you to understand how Restricted Groups work in Group Policy, I apologize for any confusion.

Ignore my previous comment and follow the steps linked above - this will add the Executive Admins group to the local Administrators group on each workstation that the policy is applied to. It will not delete/replace any existing members in the local Administrators group.

I hope this clears it up for you.
0
 

Author Closing Comment

by:jskfan
ID: 40551162
Thank you
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question