Re: restricted groups

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Al (Al_at_discussions.microsoft.com)
Date: 02/09/05 

Date: Wed, 9 Feb 2005 15:25:03 -0800

I found a solution to the issue by making the interactive group a member of
the power users group in the restricted group setting. But I don't understand
why this works and what I was doing before didn't.

"Herb Martin" wrote:

> "Al" <Al@discussions.microsoft.com> wrote in message
> news:40FE30C7-1CB0-4623-906B-19247A4D82F0@microsoft.com...
> > I have an application that all domain users must be able to run on a local
> > machine. It requires them to be a member of the power users group.
> > What I'm trying to do is under the default domain policy is use the
> > restricted group setting to make the domain users group a member of the
> local
> > power users group.
>
> Were you able to select the Power User's group (in the GPO)
> and get the members added?
Yes
>
> In inability to do this is you problem that is a known issue
> (Fix: install the Win2003 AdminPak.msi tools on an XP
> workstation where the Power Users group actually exists
> -- and can therefore be selected.)
>
>
> > When I do this and the log on as a domain user and then
> > try to run this application it fails.
>
> Then that implies that the User is NOT in the Group.
>
> Have you checked for this directly? (Computer Manager)
Yes
>
> Could be a failure to link or apply the policy, permissions,
> failure to authenticate.
>
> > However if I manually add the domain
> > users group to the power users account through the local users and groups
> > management console the domain user is able to run the application.
> > Why is the restricted group policy not working for me.
>
> Is the machine authenticating? It won't get GPOs if not.
> (How do you know?)
>
> Is the policy applied? (How do you know?)
>
> You might wish to use GPResult on the machine to
> help with the latter. Or run RSoP from the AD Users
> and Computers MMC in both Logging (what happened)
> and Planning mode (what SHOULD happen.)
>
> --
> Herb Martin
>
>
>
>

Relevant Pages

  • Re: restricted groups
    ... See Herb's point for how to add a domain group to the power users group ... I found a solution to the issue by making the interactive group a member of the power users group in the restricted group setting. ... >> restricted group setting to make the domain users group a member of the> local ... > Could be a failure to link or apply the policy, permissions,> failure to authenticate. ...
    (microsoft.public.windows.server.active_directory)
  • Re: restricted groups
    ... If you look into the Power Users group, is the domain users group a member ... It requires them to be a member of the power users group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Assigning domain users rights to change ip address
    ... Placing domain users into the local Power Users group would likely do what ... >> I am working in a cisco lab where domain users required to change their ... >> could gain a right to change ip setting through network connection. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricted Group Policy settings.
    ... If member of LapTop Group user then ... I have many laptop users in the company. ... We have a default domain policy ... have Local Power Users Group rights which i guess would be enough to ...
    (microsoft.public.windows.server.active_directory)
  • Windows Media Player Crashes on Web Access with Domain User accoun
    ... Media player crashes with the text "Opening..." ... If I remove the user from the Power Users group, ... domain users unrestricted read/write access to C: ... Windows XP Pro SP2 with all updates applied, ...
    (microsoft.public.windowsmedia.player)