Re: Restricted group functionality

Francois,

That is part of the beauty of this GPO. That group will be added back.
And, no other group will be allowed to be added.

Now, I have never played with this (testing all of the possibilities). I
would suggest that you play with this in the lab. I will do the same.

--
Cary W. Shultz
Roanoke, VA 24012

"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:eKis6yE%23GHA.4980@xxxxxxxxxxxxxxxxxxxxxxx
What should I do if someone remove the domain admin group and I want it to
be maintain. Is it possible with that GPO?

"Cary Shultz" <cwshultz@xxxxxxxx> a écrit dans le message de news:
%23V4eNBD%23GHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Francois,

By "fix" I mean this MSKB - http://support.microsoft.com/?id=810076.

It simply changes the default behavior of the Restricted Groups GPO from
a "flush and load" - as I call it - to a "append to". And, since this is
a GPO that affects the computer side of things you would have to make
sure that the computer account object(s) in question are located in an OU
(well, Site or Domain as well) to which this GPO is linked....that is how
you would tell that the computer account object T111 has only xxx\admracf
as a member of the local Administrators group.

--
Cary W. Shultz
Roanoke, VA 24012

"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:em1RoSC%23GHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
Which fix?
I saw a fix but it was for XP SP1 and we are SP2 so I presume everything
will be fine.
Yes, we are targeting the administrator group. We have an inventory of
all contents of all administrator group in our organisation and then I
hope to not forget anything.

If I want to be sure xxx\admracf might be in the local administrator
group and I want to add it on the computer T111, how will I need to
specify it in my restricted group.

--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________

"Cary Shultz" <cwshultz@xxxxxxxx> a écrit dans le message de news:
eIzeANC%23GHA.4524@xxxxxxxxxxxxxxxxxxxxxxx
Good morning!

I have found that a lot of people try to do this on a Domain Controller
and they have a problem with the "local groups" part. Since there are
no "local groups" on a Domain Controller (well, just leave it at
that...) making use of the Restricted Groups can be a bit more
difficult than necessary.

Now, if you do this on a Window 2000 or Windows XP client (running the
GPMC) there should be no problems.

I know that the poster is talking about moving the computer account
objects between OUs (not sure why....you are *supposed* to set up the
OU structure and then leave it along....).

Also, so that the poster is aware: be careful with restricted groups.
The default behavior is to flush the contents of the "desired group"
and to replace it with whatever you specify in the GPO. If your
"desired group" is the local Administrators group then be sure to
include the Domain Admins in your GPO. Otherwise, have fun.....

There is a fix to this. MS released a patch that you can get from
MS-PSS (no charge). Just make sure that you get the right one. There
is one for WIN2000 clients and there is one for WINXP clients. This
patch must be installed on all systems (Domain Controller as well) to
work. What it does is change the default behavior....the use of
restricted groups will simply add to your "desired group".

--
Cary W. Shultz
Roanoke, VA 24012

"Florian Frommherz" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:uqZSUdA%23GHA.3644@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!

François Racine wrote:
If I am applying the restricted group to an OU, the restricted group
will apply correctly and accounts we don't want will be remove. But
if we are moving the computer account to a different OU then the
accounts we don't want will be back? Any explanations? Any
suggestions to make those accounts remove indefinitely.

Why would you move the computers to another OU? Just leave it in the
OU the GP is applied to - or link to GP to an upper OU to have it
still working.

How did you configure your Restricted Groups? Were you using the
"Members of this group.." or "This group is member of..." section?

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.










.

Relevant Pages

  • Re: Restricted group functionality
    ... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
    (microsoft.public.windows.group_policy)
  • Re: Deploying SP 4 through Group Policy
    ... Let's assume that we have verified that you current SP4 extraction is not ... all of the computer account objects that ... You are creating this GPO from scratch or are you linking an ... nothing happened then I would suggest that you reboot again. ...
    (microsoft.public.win2000.active_directory)
  • Re: Automatically adding computers to a group
    ... that makes no sense if the computer account is NOT recreated. ... This security group is used to filter ... Interesting concept, "run once GPO. ... computer a member of this new security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... > User and Computer settings a single GPO,. ... unless you have the workstation computer ... > User Configuration settings from GPOs that apply to the User's user ... > OU the computer account for the computer being logged on to is in. ...
    (microsoft.public.windows.group_policy)
  • Re: Administering OUs
    ... IF You set this settings in ... >GPO on the OU level and then define in this GPO that in ... DOmain Admins can be a member of local administrators group ... restricted groups are proper solution for this problem. ...
    (microsoft.public.win2000.active_directory)
Loading