Re: Restricted group functionality

Francois,

By "fix" I mean this MSKB - http://support.microsoft.com/?id=810076.

It simply changes the default behavior of the Restricted Groups GPO from a
"flush and load" - as I call it - to a "append to". And, since this is a
GPO that affects the computer side of things you would have to make sure
that the computer account object(s) in question are located in an OU (well,
Site or Domain as well) to which this GPO is linked....that is how you would
tell that the computer account object T111 has only xxx\admracf as a member
of the local Administrators group.

--
Cary W. Shultz
Roanoke, VA 24012

"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:em1RoSC%23GHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
Which fix?
I saw a fix but it was for XP SP1 and we are SP2 so I presume everything
will be fine.
Yes, we are targeting the administrator group. We have an inventory of
all contents of all administrator group in our organisation and then I
hope to not forget anything.

If I want to be sure xxx\admracf might be in the local administrator group
and I want to add it on the computer T111, how will I need to specify it
in my restricted group.

--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________

"Cary Shultz" <cwshultz@xxxxxxxx> a écrit dans le message de news:
eIzeANC%23GHA.4524@xxxxxxxxxxxxxxxxxxxxxxx
Good morning!

I have found that a lot of people try to do this on a Domain Controller
and they have a problem with the "local groups" part. Since there are no
"local groups" on a Domain Controller (well, just leave it at that...)
making use of the Restricted Groups can be a bit more difficult than
necessary.

Now, if you do this on a Window 2000 or Windows XP client (running the
GPMC) there should be no problems.

I know that the poster is talking about moving the computer account
objects between OUs (not sure why....you are *supposed* to set up the OU
structure and then leave it along....).

Also, so that the poster is aware: be careful with restricted groups.
The default behavior is to flush the contents of the "desired group" and
to replace it with whatever you specify in the GPO. If your "desired
group" is the local Administrators group then be sure to include the
Domain Admins in your GPO. Otherwise, have fun.....

There is a fix to this. MS released a patch that you can get from MS-PSS
(no charge). Just make sure that you get the right one. There is one
for WIN2000 clients and there is one for WINXP clients. This patch must
be installed on all systems (Domain Controller as well) to work. What it
does is change the default behavior....the use of restricted groups will
simply add to your "desired group".

--
Cary W. Shultz
Roanoke, VA 24012

"Florian Frommherz" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uqZSUdA%23GHA.3644@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!

François Racine wrote:
If I am applying the restricted group to an OU, the restricted group
will apply correctly and accounts we don't want will be remove. But if
we are moving the computer account to a different OU then the accounts
we don't want will be back? Any explanations? Any suggestions to make
those accounts remove indefinitely.

Why would you move the computers to another OU? Just leave it in the OU
the GP is applied to - or link to GP to an upper OU to have it still
working.

How did you configure your Restricted Groups? Were you using the
"Members of this group.." or "This group is member of..." section?

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.






.

Relevant Pages

  • Re: Restricted group functionality
    ... Is it possible with that GPO? ... that the computer account objectin question are located in an OU ... as a member of the local Administrators group. ... making use of the Restricted Groups can be a bit more difficult ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted group functionality
    ... That is part of the beauty of this GPO. ... It simply changes the default behavior of the Restricted Groups GPO from ... sure that the computer account objectin question are located in an OU ... as a member of the local Administrators group. ...
    (microsoft.public.windows.group_policy)
  • Re: Deploying SP 4 through Group Policy
    ... Let's assume that we have verified that you current SP4 extraction is not ... all of the computer account objects that ... You are creating this GPO from scratch or are you linking an ... nothing happened then I would suggest that you reboot again. ...
    (microsoft.public.win2000.active_directory)
  • Re: Automatically adding computers to a group
    ... that makes no sense if the computer account is NOT recreated. ... This security group is used to filter ... Interesting concept, "run once GPO. ... computer a member of this new security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Want to add users to their local Admin group
    ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
    (microsoft.public.windows.server.active_directory)
Loading