Re: restricted groups have broken Admin access....help!

From: Fabrussio (Fabrussio_at_discussions.microsoft.com)
Date: 11/07/04 

Date: Sun, 7 Nov 2004 09:08:02 -0800

Thanks Cary, I need to confess that I followed
http://www.jsiinc.com/SUBK/tip5300/rh5319.htm
for how to set up my restricted group, but I ignored the 'do this on a
member server' bit and just added my choosen users to the 'administrator'
group on the DC...!!! (this is the domain admin..right!....doh!!!...stupid!!)
Then the Domain Admin access was lost.
I then tried deleting the GPO and redoing the restricted group as per
instructions on a workstation+adminpak, but the domain access still did not
come back.
I eventually gave up and deleted all traces of the groups and GPO, but still
no access.
What have I done?
Would your fix below get back my http://localhost access, is that to do with
IUSR?

any advice would be great..someone recommended I restore system state, but
that is not going to be popular at work.

"Cary Shultz [A.D. MVP]" wrote:

> Fabrussio,
>
> With the default use of Restricted Groups GPO all of the current user
> account objects and group objects are removed from the 'focus' local group
> ( in your case the local Administrators group ) and replaced with the group
> of your choice. So, this means that the Domain Admins group was removed
> when you configured the GPO. So, all of the computer account objects that
> fall under the scope of management of this GPO will no longer have the
> Domain Admins as members of their local Administrators group.
>
> How to fix this? Well, you could have used the fix for this ( please see
> http://support.microsoft.com/?id=810076 ) or you could make sure that you
> add two groups: the group of your choice -AND- the Domain Admins group.
>
> HTH,
>
> Cary
>
> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message
> news:865C4FA1-D36B-411C-89DD-275911B29F40@microsoft.com...
> > I set up a restricted group to give users, local admin access.
> > As soon as I set it up it stopped all my domain admin access and IUSR
> access
> > from the server. I have tried completely removing the groups but the admin
> > access never returns.
> >
> > what to do?????
>
>
>

Relevant Pages

  • Re: Need to filter domain admin from GPO
    ... Normally Block inheritance works fine. ... What GPO setting do you like to filter? ... user anyway and leave the original admin account redudnant only to be ... Block inheritance (I would have to move the domain admin from ...
    (microsoft.public.windows.group_policy)
  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • Re: Desktop Admin - HELP
    ... restricted group in my GPO and refreshed my policy and all should be good... ... local admin rights... ... ALSO, i created a brand new GPO to use, and it had the same results... ...
    (microsoft.public.win2000.active_directory)
  • Re: Odd GPO Link behavior
    ... I wanted my GPO (for my login - which is domain admin) to have windows firewall disabled, for mission ciritcal applications, such as Battlefield 2142 and Call of Duty 2. ... Called it SBSAdmin, threw my user account in there, blocked inheritance on all items, and created a new GPO link with firewall disabled. ... Unless you have configured firewall settings at domain level, I'd leave the "block inheritance" settings alone. ...
    (microsoft.public.windows.group_policy)
  • Re: Security Filtering does not work correctly in GPO
    ... Did you removed the Authenticated Users from apply GPO ... Systems Administrator ... "Scope-Setting" in the Group Policy object. ... The domain admin shouln't receive this settings. ...
    (microsoft.public.windows.server.active_directory)