Discussion:
Restricted groups GPO deleted but still applying to WS's...
(too old to reply)
Isaac Story
2006-01-13 22:43:02 UTC
Permalink
I started using the restricted groups GPO to add a domain group to local
admin accounts on workstations and it had an unforseen consequence. It
replaced all local administrator account membership on every workstation.
This was bad since we have a small handful of users that need admin rights to
thier workstations only. So I removed that GPO and fixed these users that had
thier rights taken away. Now for some reason there are a couple workstations
that still appear to be applying the GPO when it doesn't even exist. Has
anyone ever seen this? or, is there a recommended method to diagnosing this
problem? I found the KB on viewing the group policy application history in
the registry, but the data in the registry doesn't really make any sense or
help me at all.
chief
2006-01-18 23:42:24 UTC
Permalink
I'm seeing the same thing concerning the restricted groups GPO wiping
out all the local admin accounts. I need to know how to assign groups
to the local admin group on a workstation without the existing members
getting removed.
Post by Isaac Story
I started using the restricted groups GPO to add a domain group to local
admin accounts on workstations and it had an unforseen consequence. It
replaced all local administrator account membership on every workstation.
This was bad since we have a small handful of users that need admin rights to
thier workstations only. So I removed that GPO and fixed these users that had
thier rights taken away. Now for some reason there are a couple workstations
that still appear to be applying the GPO when it doesn't even exist. Has
anyone ever seen this? or, is there a recommended method to diagnosing this
problem? I found the KB on viewing the group policy application history in
the registry, but the data in the registry doesn't really make any sense or
help me at all.
Paul Williams [MVP]
2006-01-22 06:49:44 UTC
Permalink
Restricted groups, as far as I'm aware, has no merge feature. It wasn't
designed to help roll out group membership, but rather to enforce group
membership to rule out inconsistencies and mistakes.

Restricted groups needs to be planned. You must not forget to add
DOMAIN\Domain Admins and Administrator if you are pushing this out to member
servers.

If you just wish to add a group to the local admins, and have many bespoke
local admin group members, you should use a startup script:
-- http://www.msresource.net/content/view/45/47/
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-22 06:47:13 UTC
Permalink
Check the userenv.log on those machines. They're probably using an old GPO
(because SYSVOL replication has broken on a machine - this is possible in XP
as it will still process out-of-sync versions) or are unable to contact a DC
and are using the current settings (cache).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...