What am I missing with the "Restricted Groups" GPO setting?

From: Gabe - GMail (gabe.eapen_at_gmail.com)
Date: 11/07/04 

Date: Sun, 7 Nov 2004 17:46:40 -0600

I want to use the restricted group(s) setting to ensure that on all
computers within an OU, a domain local group called "DOM\Desktop Admins"
gets added (not replace) to the existing membership of the built-in
"Administrators" group of the workstation.

Obviously, I canot Add a group called "Administrators" to the restricted
group and set its members attribute to "DOM\Desktop Admins" as it will
REPLACE the existing group membership.

Instead, I added the group "DOM\Desktop Admins" and set its memberOf
attribute to "Administrators" and left its member attribute blank.

Per the GPO documentation, "DOM\Desktop Admins" should get added to the
built-in "Administrators" group in addition to its existing membership. But
nothing happens!!!

Here is the output from the winlogon.log file from %WINdOWS%\security\logs:
-------------------------------------------------------------------
Process GP template gpt00001.inf.
-------------------------------------------
Sunday, November 07, 2004 2:01:56 PM
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...

----Configure Group Membership...
 Configure DOM\DeskTopAdmins.
 No system mapping was found for DOM\DeskTopAdmins.

 Group Membership configuration was completed successfully.

----Configure Security Policy...
 Configure password information.
 Configure account force logoff information.
 System Access configuration was completed successfully.
 Audit/Log configuration was completed successfully.
 Configuration of Registry Values was completed successfully.
----Configure available attachment engines...

 Configuration of attachment engines was completed successfully.
-------------------------------------------------------------------

What am I missing?

Gabe 

--

Relevant Pages

  • Re: Enumerate Admins
    ... "Richard Mueller" wrote: ... It reveals membership due to group nesting, ... You can specify the Distinguished Name of the Administrators ... Admins" group, etc. ...
    (microsoft.public.scripting.vbscript)
  • Re: Error installing SBS SP1 - Admin Groups
    ... Now look 'under' each group category....some membership group has some membership added to them that is denying. ... Administrators ... You have a funky group membership in your Admin account and it's causing the install not to run. ... Administrator user must be a member of the Domain Admins, Enterprise Admins, and Schema Admins group. ...
    (microsoft.public.windows.server.sbs)
  • Re: User/Group Administration
    ... Desktop Support Admins, Hardware Admins, that ... > connecting to the workstations remotely, ... > systems administrators and our efficient helpdesk guys. ... the membership of the Administrators group and into what ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Error installing SBS SP1 - Admin Groups
    ... Administrators ... > Enterprise Admins ... > Then you've added a membership under one of those that is denying you. ... >> Domain Admins ...
    (microsoft.public.windows.server.sbs)
  • Re: What am I missing with the "Restricted Groups" GPO setting?
    ... can you add that domain local group manually to the local ... >>> group and set its members attribute to "DOM\Desktop Admins" as it will ... >>> REPLACE the existing group membership. ... >>> Group Membership configuration was completed successfully. ...
    (microsoft.public.windows.group_policy)