Restricted Groups Limitation

  • Thread starter Thread starter charlie
  • Start date Start date
C

charlie

I am trying to use Restricted Groups in order to put a
Global Group containing 2 users into the local
Administrators Group on every computer in the OU.
From a W2K SP4 Member Server I open AD Users and
Computers, I create the Global Group in the OU, I go to
the Restricted Groups node in the GP for my OU, I browse
to the group that I created, make it a restricted group
and add the two users. Next I click the Add button in
the "Make this group a member of..." section but when I
try to look in the local computer for the Administrators
Group, there are no groups listed and it won't let me add
by typing in the group name either.
From everything I've read, I am supposed to be able to use
Restricted Groups to force a Global Group to be a member
of another group by using this method. By adding it to
the local Administrators Group on the member server, it
should end up in every local Administrators group in the
OU. Any help would be greatly appreciated. Thanks.
 
Hi,

You should do it the other way around. The GPO with restricted groups should
be applied to the computers in question. You add the "Administrators" group
as a restricted group, and select the global group from AD as a member of
this group.


Arild
 
Hi Charlie,

Thank you for the posting. As you indicated, you want to add a global
group so that it is a member of the local administrators group on all
workstations and member servers by using group policy restricted groups.

To do so, please refer to this knowledge base article:

320065 How to Configure a Global Group to Be a Member of the Administrators
http://support.microsoft.com/?id=320065

Hope this helps and answers your question. If anything is unclear, please
let me know.

Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.
 
OK - you made me check the knowledge base on this one....
I didn't want to do it the way you have explained because
I'm afraid that it will make the local Administrators
Group on every workstation restricted. In other words it
will only contain the Global Group that I add to it and
any other users that I designate. That would be a
problem because we wouldn't have any flexibility for
situations where a user NEEDS to be an Admin on their own
machine.
I'll experiment with this but I still think from what
I've read that I should be able to use the "Member of"
function in Restricted Groups to make the restricted
group itself a member of the Administrators group.
Charlie
 
You are correct. The way Arild is telling you to do would set all of your
local administrator groups to only have the global group, thus removing the
local administrator and domain administrator from the membership.

First, use this KB to enable logging.
http://support.microsoft.com/default.aspx?scid=kb;en-us;245422 Then force a
policy propagation (secedit /refreshpolicy machine_policy /enforce). Open
up %windir%\security\logs\winlogon.log. What errors exist when the attempt
to add the global group to the administrators group occured?

One cautionary point, don't mix members and member of settings. So don't
have a restricted group members setting (upper dialog) set for the
administrators group and then have a restricted group member of setting
(lower dialog) that adds a different group to the administrators group. The
two settings weren't designed to work together so there are times you can
get undesired results.

N
 
Thanks, Nick
I still am wondering why I can't get the restricted
global group into a local group on a member server or WS.
Again, according to the various KB articles that I read I
should be able to use the "reverse membership"
functionality to do this, which is what I badly need to
do.
Charlie
-----Original Message-----
You are correct. The way Arild is telling you to do would set all of your
local administrator groups to only have the global group, thus removing the
local administrator and domain administrator from the membership.

First, use this KB to enable logging.
http://support.microsoft.com/default.aspx?scid=kb;en- us;245422 Then force a
policy propagation (secedit /refreshpolicy
Click to expand...
machine_policy /enforce). Open
 
I THINK I have solved this. On the member server, when I
needed to choose the local Administrators group as the
group to make the restricted group a member of, I simply
focused on the local machine and typed
in "Administrators". I could not browse to the local
groups and I couldn't type "<machinename>\Administrators".
Now when I look at the Group Policy for the OU, it shows
my restricted group as a member of Administrators and if
I look in the Administrators group on the server where I
performed the action, the restricted group is there.
HOWEVER, when I looked at the Administrators Group on a
W2K Workstation, even after a GP refresh, the restricted
group was not in the Administrators group. The
difference might be that the server has SP4, the
workstation doesn't. I'll try that next.
 
Really, you should avoid using "memberof" part as it is not truly restricted
part, and always can be done with "members" part and another restricted
group.
 
Back
Top