Re: What am I missing with the "Restricted Groups" GPO setting?

From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 11/08/04 

Date: Mon, 8 Nov 2004 15:49:29 -0800

Ok. What version of OS and SP is running on the client--make sure this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810076 is not your
issue. Also, can you add that domain local group manually to the local
Administrators group on those workstations? 

-- 
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
"Gabe - GMail" <gabe.eapen@gmail.com> wrote in message 
news:Ol%23U3rexEHA.1988@TK2MSFTNGP12.phx.gbl...
> Darren-
> Yes, both the forest and domain are in Win2003 native mode.  What else do 
> I
> need to check?  The domain is a child domain
>
> Gabe
>
> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
> news:ufPZ5%23axEHA.2016@TK2MSFTNGP15.phx.gbl...
>> Gabe-
>> Is your AD domain in native mode? I'm pretty sure the last time I checked
>> this you couldn't add a domain local group to a local group unless the
>> domain was in native mode--you could only add global groups.
>>
>> -- 
>> Darren Mar-Elia
>> MS-MVP-Windows Server--Group Policy
>> Check out http://www.gpoguy.com -- The Windows Group Policy Information
> Hub:
>> FAQs, Whitepapers and Utilities for all things Group Policy-related
>>
>>
>>
>> "Gabe - GMail" <gabe.eapen@gmail.com> wrote in message
>> news:%23kYDl9SxEHA.1400@TK2MSFTNGP11.phx.gbl...
>> >I want to use the restricted group(s) setting to ensure that on all
>> > computers within an OU, a domain local group called "DOM\Desktop 
>> > Admins"
>> > gets added (not replace) to the existing membership of the built-in
>> > "Administrators" group of the workstation.
>> >
>> > Obviously, I canot Add a group called "Administrators" to the 
>> > restricted
>> > group and set its members attribute to "DOM\Desktop Admins" as it will
>> > REPLACE the existing group membership.
>> >
>> > Instead, I added the group "DOM\Desktop Admins" and set its memberOf
>> > attribute to "Administrators" and left its member attribute blank.
>> >
>> > Per the GPO documentation, "DOM\Desktop Admins" should get added to the
>> > built-in "Administrators" group in addition to its existing membership.
>> > But
>> > nothing happens!!!
>> >
>> > Here is the output from the winlogon.log file from
>> > %WINdOWS%\security\logs:
>> > -------------------------------------------------------------------
>> > Process GP template gpt00001.inf.
>> > -------------------------------------------
>> > Sunday, November 07, 2004 2:01:56 PM
>> > ----Configuration engine was initialized successfully.----
>> >
>> > ----Reading Configuration Template info...
>> >
>> > ----Configure Group Membership...
>> > Configure DOM\DeskTopAdmins.
>> > No system mapping was found for DOM\DeskTopAdmins.
>> >
>> > Group Membership configuration was completed successfully.
>> >
>> >
>> > ----Configure Security Policy...
>> > Configure password information.
>> > Configure account force logoff information.
>> > System Access configuration was completed successfully.
>> > Audit/Log configuration was completed successfully.
>> > Configuration of Registry Values was completed successfully.
>> > ----Configure available attachment engines...
>> >
>> > Configuration of attachment engines was completed successfully.
>> > -------------------------------------------------------------------
>> >
>> > What am I missing?
>> >
>> > Gabe
>> >
>> > -- 
>> >
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: What am I missing with the "Restricted Groups" GPO setting?
    ... this you couldn't add a domain local group to a local group unless the ... a domain local group called "DOM\Desktop Admins" ... > REPLACE the existing group membership. ... > Group Membership configuration was completed successfully. ...
    (microsoft.public.windows.group_policy)
  • What am I missing with the "Restricted Groups" GPO setting?
    ... a domain local group called "DOM\Desktop Admins" ... "Administrators" group of the workstation. ... REPLACE the existing group membership. ... Group Membership configuration was completed successfully. ...
    (microsoft.public.windows.group_policy)
  • Re: Migrating Built-in groups to a different name, possible ?
    ... you could also create a DOMAIN LOCAL GROUP in the source domain and put the ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... The Domain Admins from the old domains will "only" become Admins on their ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding the DOMAIN1Domain Admins group to DOMAIN2Domain Admins group
    ... using restricted groups (within a GPO) add that DOMAIN LOCAL GROUP ... as a member of the local administrators group on servers and clients ... add domain admins from domain1 to the DOMAIN LOCAL GROUP. ...
    (microsoft.public.windows.server.active_directory)