Link to home
Start Free TrialLog in
Avatar of Jerry Seinfield
Jerry SeinfieldFlag for United States of America

asked on

gpo help required

Hello MS team,



I am running into an weird issue, where a GPO is not showing results desired for an OU, but for another OU for testing purposes, I created same GPO rule and worked fine.



User generated image


The GPO above, is created to add the Domain Admin group and another AD group as part of the local admin groups for every single machine that is member of that OU. That policy keeps those 2 groups as part of the Administrators built in group in all PCs. My issue is that I would like to exclude 100 computer accounts from that policy, and we do not want to use delegation and add anually each computer account. Instead we have created another group to include only PCs that will allow add manual accounts as part of the local admin or Administrator built in group for only this group.



I created a new GPO and test for another GPO test, and worked. This test OU does not inherit ate any other GPOs.  After testing with settings above, both changes [2 groups are saved as part of the local admins, and any new addition to those groups are saved only for those machines that are part of the group [see settings above for this group is a member of]



To recap, I do have another GPO that only allows to add the original 2 groups as member of this group under Administrator built in. After editing this second GPO and adding the second group, persistent changes are not saved on those computers that are member of the second group



The idea is to have same GPO to only add the 2 groups as part of the Administrator built in or local admin groups, but also allow others computers to add manually other accounts as part of the local admin group, and keep persistent changes, I meant, the 2 original groups defined above plus new accounts added to each machine that is part of the second group



Steps taken



GPresult shows that the original GPO is being applied for the problematic OU, but any new additions to second group is not saved. persistent changes for any machines that are part of the second group are not working



A new GPO with same settings above was created and linked to another test OU. Everything works as expected. The 2 local admins groups are properly saved under local administrator groups for any machine under that OU.



In addition to that, if you manually add another account as part of the local admin group for any of the machines that are member of the second groups, therefore persistent changes are saved. These machines keep the 2 local admin groups above plus the other group that allows a set of machines to save more local admin groups



Any suggestions?
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Any reason not to use Preferences?
User generated image
Avatar of Jerry Seinfield

ASKER

with that options, can I resolve my issue? remember the same GPO should keep the 2 groups as part of the built in administrator on each pc, but there is another group conformed by other PCs that will keep the original 2 groups plus any machines that is manually added to local admin group in PC and that is also member of another group created for that purpose
Manual added groups will not be removed
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial