Discussion:
Restricted Groups Propagating to Most but not All Users...
(too old to reply)
Wes H
2009-06-19 12:28:02 UTC
Permalink
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be? I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?

-Wes
Marcin
2009-06-19 13:04:17 UTC
Permalink
Wes - this is not expected - since security settings should be applied to
domain member computers every 16 hours... Do you see event 1704 in the
Application event log on those clients? Is there any chance that they were
off the network during the refresh interval? If not, I'd suggest following
standard GPO troubleshooting methods - as described in
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx

hth
Marcin
Post by Wes H
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the
organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be? I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?
-Wes
Wes H
2009-06-19 14:04:01 UTC
Permalink
Thanks for the reply. Ok, I checked the event viewer on the PC in questions,
and she had 1704's in there for days, so she was getting the updates. It was
just that I had to manually do a gpupdate /force for them to apply??? That
is bizzare. Do you think this is because I put it into the default domain
policy? Why would almost all other users get them?

-Wes
Post by Marcin
Wes - this is not expected - since security settings should be applied to
domain member computers every 16 hours... Do you see event 1704 in the
Application event log on those clients? Is there any chance that they were
off the network during the refresh interval? If not, I'd suggest following
standard GPO troubleshooting methods - as described in
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
hth
Marcin
Post by Wes H
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be? I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?
-Wes
Marcin
2009-06-19 14:47:46 UTC
Permalink
Wes,
modifying the Default Domain Policy in general is not a good idea - so I'd
avoid it in the future, but I don't see a reason why this would cause the
issue you are describing. You can use the link I provided to troubleshoot it
further...

hth
Marcin
Post by Wes H
Thanks for the reply. Ok, I checked the event viewer on the PC in questions,
and she had 1704's in there for days, so she was getting the updates. It was
just that I had to manually do a gpupdate /force for them to apply???
That
is bizzare. Do you think this is because I put it into the default domain
policy? Why would almost all other users get them?
-Wes
Post by Marcin
Wes - this is not expected - since security settings should be applied to
domain member computers every 16 hours... Do you see event 1704 in the
Application event log on those clients? Is there any chance that they were
off the network during the refresh interval? If not, I'd suggest following
standard GPO troubleshooting methods - as described in
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
hth
Marcin
Post by Wes H
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be?
I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?
-Wes
Marcin
2009-06-19 14:47:46 UTC
Permalink
Wes,
modifying the Default Domain Policy in general is not a good idea - so I'd
avoid it in the future, but I don't see a reason why this would cause the
issue you are describing. You can use the link I provided to troubleshoot it
further...

hth
Marcin
Post by Wes H
Thanks for the reply. Ok, I checked the event viewer on the PC in questions,
and she had 1704's in there for days, so she was getting the updates. It was
just that I had to manually do a gpupdate /force for them to apply???
That
is bizzare. Do you think this is because I put it into the default domain
policy? Why would almost all other users get them?
-Wes
Post by Marcin
Wes - this is not expected - since security settings should be applied to
domain member computers every 16 hours... Do you see event 1704 in the
Application event log on those clients? Is there any chance that they were
off the network during the refresh interval? If not, I'd suggest following
standard GPO troubleshooting methods - as described in
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
hth
Marcin
Post by Wes H
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be?
I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?
-Wes
Wes H
2009-06-19 14:04:01 UTC
Permalink
Thanks for the reply. Ok, I checked the event viewer on the PC in questions,
and she had 1704's in there for days, so she was getting the updates. It was
just that I had to manually do a gpupdate /force for them to apply??? That
is bizzare. Do you think this is because I put it into the default domain
policy? Why would almost all other users get them?

-Wes
Post by Marcin
Wes - this is not expected - since security settings should be applied to
domain member computers every 16 hours... Do you see event 1704 in the
Application event log on those clients? Is there any chance that they were
off the network during the refresh interval? If not, I'd suggest following
standard GPO troubleshooting methods - as described in
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
hth
Marcin
Post by Wes H
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be? I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?
-Wes
Continue reading on narkive:
Loading...