Restricted Groups Problem

[Guest]

I implememented a GPO and set up restricted groups for Domain Admins, and
the admistrators group at the domain level. I modified the default domain
policy. I added administrator and a BackupExec service account to both
groups under memebers of this group. A few days later I notice everyone
that used to be admin on their PC no longer has Admin rights and the Domain
Admins group is no longer in the local Administrators group on any of my XP
machines. I have since deleted the restricted groups setting in the default
domain policy. How can I add Domain Admins back in to Local administrators
group on all XP machines as quickly as possible?

Thanks for your Time

 

[Nick Finco [MSFT]]

Just create a restricted group for administrators and assign Domain Admins
to the "Members of this group:" setting. When you create the rgroup, on the
add group dialog, just type in administrators. Don't use the Browse button
or else the account could be resolved to a local sid which will cause this
not to work for what you need.

N

 

[Ken B]

I believe the easiest way would be to re-enable the restricted groups
setting, adding in domain admins.

Just a note for next time--you don't want to make many settings at the
domain level--this will affect your domain controllers and every user,
including the administrator account.

Good luck

Ken

 

[Roger Abell]

If you want to control the domain's Administrators and Domain
Admins groups' memberships without affecting the Administrators
groups on members, then use a restricted group definition in a GPO
that is linked to the Domain Controllers OU.

Others have advised on how to effect a partial reversal on
client machines. For the per-machine differences on the members
you will need to visit then in a snap-in or use a scripted solution.