[joopdog]

Restricted Group

I want to use restricted group but I’m a little bit confuse.

I want to achieve the following:

I want to enable some users such as, test, test1 and test3 to have administration privileges. Simply put, to have selected users put in the Local Administrators group.

How do I accomplish this?

I’ve done the following:
1. In Active Directory I created a Domain Local Group with Security group type called Test_local_group.
2. I then included the users test2, test3, test4, and test5 as members of the Test_local_group.
3. Next step I created an Organizational Unit named “My Management Admin”.
4. I created a GPO named “Restricted Group Policy Object” under the OU “My Management Admin”.
5. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name GREATBAY\Test_local_admin
6. Then I edited “This group is a member of:” by adding Administrators.
7. At the DOS prompt I ran gpupdate /force.

When I logon into the XP sp2 workstation (SPARE11) user test4 does not have administrative privileges.

I then ran gpresult /v>c:\gp_report_test4.txt on the XP sp2 workstation (SPARE11). You may see the attached results of the file.

I want to add a Domain group to a local group on a workstation.

Please assist

[JeremyW]

joopdog, I must commend you on your post. All the information I could ask for was there (through the pictures and text and attachment)

To your problem:
You'll need to put the computers you want affected by this GPO in to the My Management Admin OU.

GPOs can be applied to users and/or computers. For the GPO to apply to a user or computer that user or computer needs to be within the hierarchy that the GPO is linked to.

To understand more http://technet2.microsoft.com/Window....mspx?mfr=true

And even deeper... http://technet2.microsoft.com/Window....mspx?mfr=true

[sorinso]

Hi, joopdog.
I would like to add few things:
- beware when you use the "Enforce" flag. If you linked the GPO to the My Management Admin OU, that does not have additional OUs underneath, it's useless. From the other hand, it might get you in trouble if you link the GPO to a higher container.
- if you don't have settings in one of the branches of a specific GPO, disable it. In your case, the User Settings branch is empty in this GPO. It should be disabled (in the GPMC, right-click the GPO -> Status -> User Configuration Settings Disabled). This will prevent it from being scanned when a user logs in. If you have a lot of GPOs to be processed, such useless scan can prolong the login process. It's a good practice.
Not really a reply, more than some thoughts that came to me while reading your post
Good luck and keep the forum posted.

[Rems]

There is one thing to keep in mind when restricting the local group Administrators that is you have to add the original members of, in particular, this localgroup also to that Resticted Group.

first, About the steps 4 and 5 at "I’ve done the following":
5. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name GREATBAY\Test_local_admin
6. Then I edited “This group is a member of:” by adding Administrators.

5 should be:
Edit the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name: Administrators (the name typed here must be the name of an EXISTING local group)
6. Should be:
Then add “Members of this group":
- GREATBAY\Test_local_admin
second, Because the policy will overwrite the content of the original group, do NOT forget to add also these default members of that group:
- GREATBAY\Domain Admins
- AdministatoR
(that last member is the local administrator account on the client, so do not add the domainname to that one)

\Rem

[joopdog]

Quote:

Originally Posted by JeremyW

joopdog, I must commend you on your post. All the information I could ask for was there (through the pictures and text and attachment) :

Thank you for the compliment.

Okay, I did the following:
1. JeremyW suggested that I move the users from the Users container to the OU “My Management Admin”. I moved users test3, test4 and test5.
2. I modified the GPO “Restricted Group Policy Object” just as Rems suggested. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I removed the group name “GREATBAY\Test_local_admin” and created a new group called “Administrators”.
3. Then I edited the “Members of this group:” by adding the following: GREATBAY\Admin, GREATBAY\Administrator and GREATBAY\Domain Admins.
4. At the DOS prompt I ran gpupdate /force.

I see some progress.

When I ran gpresult /v>c:\gp_report_test3.txt on the XP sp2 workstation (SPARE11) I see “Restricted Group Policy Object” along with Default Domain Policy and Local Group Policy under User Settings. This is good. However, under Computer Settings I see Restricted Groups nothing. And my user test3 still does not have administrative privileges.

Am I missing something, I’m so close. Please see attached files for assistance.

Please assist.

[JeremyW]

Quote:

Originally Posted by joopdog

1. JeremyW suggested that I move the users from the Users container to the OU “My Management Admin”.

I most certanly did NOT say USERS!!!!
I said computers. In your case this would be SPARE11.

[Rems]

Quote:

Originally Posted by joopdog

3. Then I edited the “Members of this group:” by adding the following: GREATBAY\Admin, GREATBAY\Administrator and GREATBAY\Domain Admins.

No, that are not the memers I told;
Add only these 3 members:
GREATBAY\Test_local_admin
GREATBAY\Domain Admins
AdministatoR

(that last member is the local administrator account on the client, so do not add the domainname to that one)

Where the group "GREATBAY\Test_local_admin" is the group you created in active directory with contains the test useraccounts that you created before in the activedirectory.

After you finished the GPO where you create the restricted group, link this GPO to the OU that contains the computeraccount SPARE11.
After that restart SPARE11 (twice),
and see if the group GREATBAY\Test_local_admin is now added on that computer to its local Administrators group.

\Rem

[joopdog]

Okay, here’s what I did:
1. JeremyW strongly said to move the computers to the OU “My Management Admin”. I moved computers spare9, spare10 and spare11.
2. I modified the GPO “Restricted Group Policy Object” just as Rems suggested. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I created a new group called “Administrators”.
3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.
4. At the DOS prompt I ran gpupdate /force.
5. I re-booted the spare9, spare10 and spare11 computers.
6. Everything looked great. I finally saw the “GREATBAY\Test_local_admin” in the Local Administrators group. However, the test4 did NOT have administrative privileges.
7. I then took the initiative and created another group in Active Directory called GREATBAY\Local_Admin_Group with Global group scope and Security group type.
8. IT WORKED!!! “GREATBAY\Local_Admin_Group” was added to the Local Administrators group and Test4 had administrative privileges.
9. You see “GREATBAY\Test_local_admin” had Domain local group scope and Security group type. I found that this does not work. The group name in Active Directory must have Global group scope NOT Domain local.
10. I went one step further.
11. I created a group in Active Directory called “Local_PowerUsers_Group”.
12. I modified the GPO “Restricted Group Policy Object”. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I created another group along with “Administrators” called “Power Users”.
13. Then I edited the “Power Users” group and the “Members of this group:” by adding the following: GREATBAY\Local_PowerUsers_Group.
14. At the DOS prompt I ran gpupdate /force.
15. Re-booted the spare9, spare10 and spare11 computers.
16. IT WORKED!!! Test6 had power users privileges.

JeremyW and Rems, you guys are amazing. I must commend you guys for your knowledge and patience with me.

Thank you, thank you thank you.

[JeremyW]

Glad to help.

Joopdog, we'd appreciate it if you could grant some reputation points to the user that helped you. (Rems) Just click on the little Yin-Yang icon on the right of Rem's answer and follow the prompt.

(Yes, this is direct plagiarism of Daniel's line )

[Rems]

Nice job joopdog! to add a new AD group to the restricted group rather than to add individual domainusers - this is the best way to control the local privileges for users.

Things to keep in mind when you want to restrict standard groups;

• to restict the local group "Administrators" you always have to add the standard memberschips also manualy to the list of members of the restricted group.
• to restrict the local group "Power Users", or
  to restrict the local group "Remote Desktop Users" you do not have to add any additional standard members. But the point here is that these groups have English names. That means that on clients with non-English OS'es you have to use the localized name of that group for the name of the restricted group.
  Or better in that case use the english- and all the necessary localized names. That is no problem because the names of the restricted groups that are unknown on the client just will be ignored.

Still one comment for step 3! this is how it realy should be;
3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.

\Rem