Re: restricted groups

From: Herb Martin (news_at_LearnQuick.com)
Date: 02/09/05

• Next message: Chriss3 [MVP]: "Re: pre-upgrade procedure from 2000 to 2003 AD"
• Previous message: Chriss3 [MVP]: "Re: Authenication on 2003"
• In reply to: Al: "restricted groups"
• Next in thread: Al: "Re: restricted groups"
• Reply: Al: "Re: restricted groups"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 9 Feb 2005 16:50:54 -0600

"Al" <Al@discussions.microsoft.com> wrote in message
news:40FE30C7-1CB0-4623-906B-19247A4D82F0@microsoft.com...
> I have an application that all domain users must be able to run on a local
> machine. It requires them to be a member of the power users group.
> What I'm trying to do is under the default domain policy is use the
> restricted group setting to make the domain users group a member of the
local
> power users group.

Were you able to select the Power User's group (in the GPO)
and get the members added?

In inability to do this is you problem that is a known issue
(Fix: install the Win2003 AdminPak.msi tools on an XP
workstation where the Power Users group actually exists
-- and can therefore be selected.)

> When I do this and the log on as a domain user and then
> try to run this application it fails.

Then that implies that the User is NOT in the Group.

Have you checked for this directly? (Computer Manager)

Could be a failure to link or apply the policy, permissions,
failure to authenticate.

> However if I manually add the domain
> users group to the power users account through the local users and groups
> management console the domain user is able to run the application.
> Why is the restricted group policy not working for me.

Is the machine authenticating? It won't get GPOs if not.
(How do you know?)

Is the policy applied? (How do you know?)

You might wish to use GPResult on the machine to
help with the latter. Or run RSoP from the AD Users
and Computers MMC in both Logging (what happened)
and Planning mode (what SHOULD happen.)

-- 
Herb Martin

---

• Next message: Chriss3 [MVP]: "Re: pre-upgrade procedure from 2000 to 2003 AD"
• Previous message: Chriss3 [MVP]: "Re: Authenication on 2003"
• In reply to: Al: "restricted groups"
• Next in thread: Al: "Re: restricted groups"
• Reply: Al: "Re: restricted groups"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: restricted groups ... on the focus of the school and the instructors of said school). ... Microsoft Active Directory MVP ... It requires them to be a member of the power users group. ... >>> restricted group setting to make the domain users group a member of the ... (microsoft.public.windows.server.active_directory) Re: Least amount of privileges ... It depends on what the domain users group has for permissions. ... Does this third party program have a service account that runs the app for ... moving this app off of your sql server and put it on a seperate server. ... (microsoft.public.windows.server.active_directory) Re: restricted groups ... Both Herb and Gary mention the need of this Adminpak ... and working from a workstation to get this to work. ... >>I have an application that all domain users must be able to run on a local ... It requires them to be a member of the power users group. ... (microsoft.public.windows.server.active_directory) Re: restricted groups ... If you look into the Power Users group, is the domain users group a member ... It requires them to be a member of the power users group. ... (microsoft.public.windows.server.active_directory) Re: OWA distorted ... group contains 'Domain Users', Authenticated Users', and the special ... 'INTERACTIVE' user account. ... domain users group? ... (microsoft.public.exchange.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-02