restricted groups have broken Admin access....help!

[Guest]

I set up a restricted group to give users, local admin access.
As soon as I set it up it stopped all my domain admin access and IUSR access
from the server. I have tried completely removing the groups but the admin
access never returns.

what to do?????

 

[Cary Shultz [A.D. MVP]]

Fabrussio,

With the default use of Restricted Groups GPO all of the current user
account objects and group objects are removed from the 'focus' local group
( in your case the local Administrators group ) and replaced with the group
of your choice. So, this means that the Domain Admins group was removed
when you configured the GPO. So, all of the computer account objects that
fall under the scope of management of this GPO will no longer have the
Domain Admins as members of their local Administrators group.

How to fix this? Well, you could have used the fix for this ( please see
http://support.microsoft.com/?id=810076 ) or you could make sure that you
add two groups: the group of your choice -AND- the Domain Admins group.

HTH,

Cary

 

[Guest]

Thanks Cary, I need to confess that I followed
http://www.jsiinc.com/SUBK/tip5300/rh5319.htm
for how to set up my restricted group, but I ignored the 'do this on a
member server' bit and just added my choosen users to the 'administrator'
group on the DC...!!! (this is the domain admin..right!....doh!!!...stupid!!)
Then the Domain Admin access was lost.
I then tried deleting the GPO and redoing the restricted group as per
instructions on a workstation+adminpak, but the domain access still did not
come back.
I eventually gave up and deleted all traces of the groups and GPO, but still
no access.
What have I done?
Would your fix below get back my http://localhost access, is that to do with
IUSR?

any advice would be great..someone recommended I restore system state, but
that is not going to be popular at work.