Solved

Restricted Group policy

Posted on 2015-01-14
9
93 Views
Last Modified: 2015-01-15
I have a security group in Active Directory called "Local Executives"
I need to create a Restricted group GPO, for Local Administrators group in each PC, so that "Local Executives" group will be member of Local Administrators group in each PC.
 However I do not want to delete the Already existing members of the local administrator group. It is kind of adding instead of removing and adding.

any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 70 total points
ID: 40548463
Then you will need to add the other groups in. If you don't your GPO will overwrite the group. Example.

You have a GPO called localadmins and a new GPO called localexecutives.

localadmins contains the following restricted membership for local admins.

Domain Admins
Workstation Admins
Helpdesk

It is the highest priority GPO on the OU. Your new GPO localexecutives has only the following in the local admin group.

Executive Admins

If you like this GPO at a higher priority than your other GPO it will win based on priority and become the basis for the local admin group removing Domain Admins, Workstation Admins and Helpdesk. So, if you are going to have a new GPO with a separate local admin group membership defined you must include the other groups which are already members as below.

Domain Admins
Workstation Admins
Helpdesk
Executive Admins
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 70 total points
ID: 40548618
jskfan, you need to take a closer look. Restricted groups let's you either define what members the local admin group has (and that will delete all others) or it will let you add that group to local admins regardless of who's already in and non-destructive against those members. There are simply too different sections in the GPO, look at it once more.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 360 total points
ID: 40548847
If you want to add the Local Executives to each computer's local Administrators group then follow the below steps:

In the Group Policy Management Console, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Right click and select Add Group
Type in DOMAIN\Local Executives in the Add Group window that appears or locate it via the Browse... button
Click Add in the This group is a member of section
Type in Administrators in the Group Membership window > OKOK again
Restricted-Groups.PNG
This will add the Local Executives group to each PC's local Administrators group and keep the group membership in tact.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 54

Expert Comment

by:McKnife
ID: 40548873
Thanks for illustrating my comment, VB ITS :)
0
 

Author Comment

by:jskfan
ID: 40550868
VB ITS

Thanks for the screenshot and the wizard walk through...I want just to make sure I understood the procedure.

So in the screenshot you posted above, there are 2 window panels, if I add "Executive Admins" to the top window then all existing members of the local administrators group in workstations will be deleted except for "Executive Admins" that I have added.

if I add "Executive Admins" to the bottom window,  then existing members of local administrators group will stay there and "Executive Admins" group will be added.

Correct ?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40550898
No, if you add Executive Admins to the box above then the policy will attempt to place Executive Admins in the Executive Admins group. This obviously will not work very well!

If you want to replace the membership of the local Administrators group then you would specify Administrators when you go to create the Restricted Group. See below:
Restricted-Groups---Replace-AdministratoRestricted-Groups---Replace-AdministratoRestricted-Groups---Replace-Administrato
In the above scenario, the Administrators group on each workstation will have the group membership replaced so that DOMAIN\User is the only member of the group.

Hope this makes sense.
0
 

Author Comment

by:jskfan
ID: 40551125
No my Goal is to add Executive Admins Group to Local administrators group on each workstation without deleting the existing members of the local administrators group.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 360 total points
ID: 40551140
Then please follow the steps in my earlier comment: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28596305.html#a40548847

My previous comment was to try and get you to understand how Restricted Groups work in Group Policy, I apologize for any confusion.

Ignore my previous comment and follow the steps linked above - this will add the Executive Admins group to the local Administrators group on each workstation that the policy is applied to. It will not delete/replace any existing members in the local Administrators group.

I hope this clears it up for you.
0
 

Author Closing Comment

by:jskfan
ID: 40551162
Thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question