RE: Restricted groups

From: David Pharr [MSFT] (dpharr_at_microsoft.com)
Date: 07/23/04 

Date: Fri, 23 Jul 2004 14:42:08 GMT

Sounds like you used restricted groups to ensure that particular domain
user account was a member of the local administrators group. Removing the
computer from the OU is not going to cause the user account to be removed -
you will have to remove it manually.

Restricted groups enforce membership - you can set it so that only certain
users are members of a particular group or so that a particular group is
added as a member of other groups. It doesn't "undo" the addition of the
user account to the group if you remove the computer from the OU where the
policy enforcing this setting is applied.

228496 HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/?id=228496

279301 Description of Group Policy Restricted Groups
http://support.microsoft.com/?id=279301

David Pharr, dpharr@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: <anonymous@discussions.microsoft.com>
| Sender: <anonymous@discussions.microsoft.com>
| Subject: Restricted groups
| Date: Wed, 21 Jul 2004 22:32:57 -0700
| Lines: 10
| Message-ID: <1cc701c46fad$585c0ef0$a501280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcRvrVhceGOYbtjyRhynQ2PzCxhUIQ==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:82155
| NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Hi,
| I have added the domain user to local administrator group
| of all the PCs coming under one OU with the help of
| restricted groups. but now I have moved that PC from that
| OU. But still that user is in the administrator group of
| those PCs. Why still that user is having admin previleges
| even though that user is no more in that OU. Please any of
| you could address this issue?.
| Regards,
| Srinivas Acharya
|

Relevant Pages

  • Re: Domain Admin Group membership / Domain Security policy
    ... >I am trying to add a new member of out IT department to the Domain Admin ... > security policies but the new user is a member of both restricted groups. ... > into his AD user account he is not in the Domain Admin group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Power User Setting Not Saved
    ... included in the Restricted Group via this group is a member of. ... power users along with the specific user you added. ... Restricted Groups to speed up propagation of any changes first run gpupdate ... move it to an Organizational Unit that would not have that Group Policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Power User Setting Not Saved
    ... included in the Restricted Group via this group is a member of. ... power users along with the specific user you added. ... Restricted Groups to speed up propagation of any changes first run gpupdate ... move it to an Organizational Unit that would not have that Group Policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Power User Setting Not Saved
    ... when I say "local user" I mean the login name that is typically used ... user that is a member of that OU then be a Power User? ... There are two ways to do Restricted Groups - members of this group or this ... membership of the Restricted Group [power users in your case] will be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Restricted Groups
    ... member of the Local Power Users group. ... because restricted Groups policy is a computer policy. ... admin group access to, OR is this where I click on the local admin group? ...
    (microsoft.public.windows.server.active_directory)