That won't work. It would have to be a domain user - not a local users.
There are two ways to do Restricted Groups - members of this group or
this
group is a member of. If you use members of this group then the existing
membership of the Restricted Group [power users in your case] will be
removed and replaced with what is specified for members of this group. If
you use this group is a member of then the global group/uers you specify
will be added to the power users group and the existing members will not
be
removed. If you do not want Restricted Groups to apply to that computer
then
move it to an Organizational Unit that would not have that Group Policy
apply to it or filter the Group Policy by adding the computer account to
the
deny apply permission for the Group Policy Object. --- Steve
Thanks for the help and link. I've added the local user to the Power
Users
group account under Restricted Groups on the Workstations policy for
the
primary domain controller for the domain. Will this user be listed as
a
Power User on the local machine itself now?
:
There is no power users group in Active Directory - it is only
available
as
a local group on domain computers. However Group Policy Restricted
Groups
can be used to manage membership of the power users group which seems
to
be
the case here. It sounds like Restricted Groups is not configured
correctly
if the domain user in question is being removed from the power users
group
or the domain user is not a member of the global group [don't use
domain
local groups] specified in Restricted Groups. The link below may help
in
explaining how to configure Restricted Groups. You would need to check
the
configuration for Restricted Groups for the Group Policy that rsop.msc
shows
as enforcing Restricted Groups. --- Steve
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
The computer is a member of AD and so I ran rsop.msc. However, I'm
very
new
to Windows administration, so I have no idea what all these security
settings
are telling me. What exactly should I be looking for? Under the
"Restricted
Groups" folder in the Computer Configuration section, I have
Administrators
and Power Users listed, and the local user name with the issue is a
member
of
the group listed under Power Users. Why is there no group called
Power
Users
under the Active Directory list of groups, but there is under local
Computer
Management?
:
If the computer is a member of an Active Directory domain their
could
be
a
Group Policy Restricted Groups configuration that is enforcing
group
membership. Running rsop.msc on that computer probably would show
such
if
that is the case. If not a member of an AD domain then it is hard
to
say
what is going on but I would enable auditing of account management
in
Local
Security Policy and then look for an account management event for
change
of
group membership to see what user changed the group membership. If
the
user
is system that would indicate that something on the computer is
configured
to enforce group membership. --- Steve
I have a computer that is used for a certain automotive diagnostic
program
and this program requires that the user be logged on as a Power
User
due
to
licensing issues. To set this up, I logged on as Administrator
and
added
this user login name to the Power Users group under Computer
Management
and
Local Users and Groups. I then logged out as Administrator and
logged
in
as
the local user and everything worked fine. However, Windows XP
seems
to
"forget" that this user is a member of the Power Users group, as
I've
had
to
do the same procedure three times now. I'm assuming it happens
after
the
users restart the machine, but, regardless, is there some step
I'm
missing
to
get this user to remain a Power User? Why is this setting not
saved?
Thanks.
