Restricted Groups: "Member of" and add Domain Groups to local Groups

  • Thread starter Thread starter Hansi
  • Start date Start date
H

Hansi

Hello GPO Cracks

I want to add a Global Group from a Domain to every Workstations lokal
Group "Administrators" (or somthing else). I want to make it with
resticted Groups Policy. In this GPO, i want to do it strictly with
the lower field "member of", because of emptiing the local group in
case of "members".

I have tried do do the following:

1. Create a global Group "TestDomainGlobal" in a W2K3 Domain and
polulate it.
2. On a OU, I create and link a GPO, named TestRestGroup.
3. In TestRestGroup, I go to Restricted Groups under Computer
Configuration and klick "add group".
4. I take the "TestDomainGlobal" as the restricted Group.
5. On the Properties Page of "TestDomainGlobal", I take the lower
Field "This Group is a member of" and press the add-Button nearby.
(Not Members of this Group !!!)
6. I Open "Browse" in the Dialog "Group Membership"
7. I click "Locations" to change the Scope from the "entire Directory"
to the local machine. The local machine is visible there.
8. I select the local machine. Now i want to take e.g. the local
Administrators group as the target for adding the "ThestDomainGlobal"
Group. But the Field "object Type" is empty. No local Group can be
selected. Also entering "Administrators" directly in Select Groups
Dialog doesn't work.

Why is the object type empty and not selectable in case I choose the
local machine as source for the "member of" instead of the domain?
Why is it not possible to add my Global Group to the System local
Group with the "member of" ?

In KB 810076 is noted, that my described steps should work. (Table 1:
My Organizational Unit Regional Admins (regional OU custom)
Administrators (local built-in) OU level Administrators group contains
Domain Admins, My Management Admins, and My Organizational Unit Admins
......)

I work on a XP SP2 with all Updates installed. Also the adminpack and
the GPMC is installed.

Thanks for Ideas.
 
In my experience it works if I type administrators in the name of group to be
member of. The other thing to do is make sure that you move computers into that
OU that you want the restricted group to be enforced on. --- Steve
 
Back
Top