Re: Restricted Group not working as expected

From: Jerold Schulman <Jerry@xxxxxxxxxx>
Date: Thu, 16 Mar 2006 08:05:55 -0500

See http://support.microsoft.com?kbid=320065 How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations

On Thu, 16 Mar 2006 02:20:29 -0800, Azwan <Azwan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi there,

I've created a restricted group and apply in the group policy to add myself
in the local administrators group in each of the computers in the domain.
However, after applying the policy, refresh the policy, restart the client
computers, i still don't see myself in the local administrator group.

Here what I've done:

1. Add myself into a domain group called "Admin"
2. Create a group policy and linked to Computers OU. All computers are in
Computers OU.
3. In the policy; Computer Configuration -> Windows Settings -> Security
Settings -> Restricted Groups
4. Right click and Add Groups.
5. I add "Admin" Security Group and I have validate this group is exist in
the domain.
6. I leave blank for "Members of this group".
7. In the "This group is a member of" I add there "Administrators". Is this
the correct group? My first huntch is i put in the wrong group. Would this be
the Domain Admins or Local Admins?

When I open the GPMC and browse through my policy, the settings was there.
The settings for Restricted Group look like this:

Group: Domain\Admin
Members: <None>
Members of: BUILTIN\Administrators

I have run the RSoP on the computers and can verify that it is a
winning(applied) GPO.

My objective is, whenever i go to any of the computers, if i open the Local
Users and Groups, and under Groups, if I click Administrators, I should be
able to see the group "Admin" in the local administrator group.

Could anybody share some lights on this?

Thank you.

Regards,
Azwan

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
.

Prev by Date: Re: .net framework adm file
Next by Date: Re: .net framework adm file
Previous by thread: Re: Software requires local administrator rights to run
Next by thread: Windows password expiration is not notifying the users
Index(es):
- Date
- Thread

Relevant Pages

Re: Rid AD of Circular Group Membership
... Unfortunately since the previous Admin used Restricted Groups on the Default ... Administrators group in the domain can manage the domain controllers ... and have use on members if it is used there. ... The quess is each has an account and uses it, ...
(microsoft.public.windows.group_policy)
Re: Trouble migrating couputers (ADMT v3)
... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ... I've found is to write a startup script that adds the appropriate account ...
(microsoft.public.windows.server.general)
Re: Trouble migrating couputers (ADMT v3)
... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ... I've found is to write a startup script that adds the appropriate account ...
(microsoft.public.windows.server.general)
Re: Domain user secuirty
... You never want to put a regular user in the domain admins or administrators group on ... > windows 2000 computers. ... > admin or Administrator group. ...
(microsoft.public.win2000.security)
Re: Trouble migrating couputers (ADMT v3)
... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ...
(microsoft.public.windows.server.general)