What am I missing with the "Restricted Groups" GPO setting?

What am I missing with the "Restricted Groups" GPO setting?

Post by Gabe - GMa » Tue, 09 Nov 2004 08:46:40


I want to use the restricted group(s) setting to ensure that on all
computers within an OU, a domain local group called "DOM\Desktop Admins"
gets added (not replace) to the existing membership of the built-in
"Administrators" group of the workstation.

Obviously, I canot Add a group called "Administrators" to the restricted
group and set its members attribute to "DOM\Desktop Admins" as it will
REPLACE the existing group membership.

Instead, I added the group "DOM\Desktop Admins" and set its memberOf
attribute to "Administrators" and left its member attribute blank.

Per the GPO documentation, "DOM\Desktop Admins" should get added to the
built-in "Administrators" group in addition to its existing membership. But
nothing happens!!!

Here is the output from the winlogon.log file from %WINdOWS%\security\logs:
-------------------------------------------------------------------
Process GP template gpt00001.inf.
-------------------------------------------
Sunday, November 07, 2004 2:01:56 PM
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...

----Configure Group Membership...
Configure DOM\DeskTopAdmins.
No system mapping was found for DOM\DeskTopAdmins.

Group Membership configuration was completed successfully.


----Configure Security Policy...
Configure password information.
Configure account force logoff information.
System Access configuration was completed successfully.
Audit/Log configuration was completed successfully.
Configuration of Registry Values was completed successfully.
----Configure available attachment engines...

Configuration of attachment engines was completed successfully.
-------------------------------------------------------------------

What am I missing?

Gabe

--
 
 
 

What am I missing with the "Restricted Groups" GPO setting?

Post by Darren Mar » Wed, 10 Nov 2004 01:26:55

Gabe-
Is your AD domain in native mode? I'm pretty sure the last time I checked
this you couldn't add a domain local group to a local group unless the
domain was in native mode--you could only add global groups.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.yqcomputer.com/ -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related

 
 
 

What am I missing with the "Restricted Groups" GPO setting?

Post by Gabe - GMa » Wed, 10 Nov 2004 08:30:47

Darren-
Yes, both the forest and domain are in Win2003 native mode. What else do I
need to check? The domain is a child domain

Gabe



Hub:
 
 
 

What am I missing with the "Restricted Groups" GPO setting?

Post by Darren Mar » Wed, 10 Nov 2004 08:49:29

k. What version of OS and SP is running on the client--make sure this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810076 is not your
issue. Also, can you add that domain local group manually to the local
Administrators group on those workstations?

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related



"Gabe - GMail" < XXXX@XXXXX.COM > wrote in message
news:Ol% XXXX@XXXXX.COM ...