Resricted groups, Server Operators

[A. Bladh]

We have several win2k DC's, all in different OUs onder DomainControllers OU.
We have one "server-admin-x" group for every DC..

That I want to do is that the "server-admin-x" group should belong to the
Builtin
group "Server-Operators" (only on one server.) (The "server-admin-x" needs
to be
able to create shares and so on, only in one of the DC's.)

So what I have done is to create one GPO for every DC OU. In that GPO I have
added Server operators in Restricted groups and added "domain admins" &
"server-admin-x".

So far everything is working fine; "server-admin-x" can logon and for
example create shares. When I look in the "Server operators group" in one
of the DCs, I can see "domain admins" & "server-admin-x".

The Problem is that after a couple of hours ( or next day) the
"server-admin-x" group is replaced with "server-admin-y" from some other
server-admin group ? ? ? Why ?

If I run "secedit /refreshpolicy machine.. " the GPO is applied again and
then it's working for a couple of hours, and then the same problem again...
(In "Default domain controllers" GPO and "Default domain" GPO is no changes
made for restricted groups)

Best Regards,

Andreas

 

[Steven L Umbach]

Sounds as if another GPO is linked to that OU or configured with a do not
overide at a higher level that may be causing a conflict . Try using
gpresult on that machine to see what it reports, or better yet if you have
an XPSP1 machine in the domain download and install the Group Policy
management Console on it to manage your GPO's which will be very helpful in
troubleshooting. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321709

 

[A. Bladh]

Thanks for your reply,
I have alredy tried GPMC, and everything looks ok (no other
policies/settings are inherited)

when i run "secedit../refreshpolicy...." to re-aplly the GPO, it's woring
fine, so it seems like that i don't get anything from a higher level.