Restricted group not restricted really
On a 2008 R2 domain I applied restricted group through group policy in order to give a group of users local administrative privileges on clients but this way the group members get builtin domain adminstrators permission too,and are able to logon
to the domain controllers.This is a serious issue.
What needs to be done if I want the group to only have local administrator rights on the clients and be restricted logging on to domain controllers.
Thanks
October 4th, 2010 4:07pm
Hi,
Please let us know the exact settings you have applied.
In Group Policy Management Editor, go to User Configuration --- Preferences --- Control Panel Settings --- Local users and Groups, create New -> Local Group, choose Update, Administrators(built-in), Add the current user, check the boxes "Delete all member
users/groups" and add the users you would like to give local admin permission to Members list.
gpupdate /force on DC and client, then check the result.Shaon Shan| TechNet Subscriber Support in forum| If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2010 4:59am
Hi,
I have settings below-
computer configuration>policies>windows settings>security settings>restricted groups
I added a group which has all the members.In the group properties>added 'administrators' under 'This group is a member of :" (followed this using search results)
I applied the policy to the OU which has the client computers
The group got added to all my clients local administrators group and worked but this way the group also becomes member of builtin administrator.
Will try the group policy settings preference settings you suggested which right now has issues and is not working on the same OU (I removed the existing restricted group policy).I cant chek delete all member users/groups as the teams in my environment
have different user group membership in place.
Was thinking trying to link my restricted group policy to wmi filter for excluding domain controllers but I doubt this would work either
select * from Win32_OperatingSystem where ProductType="1" or ProductType="3"
Please suggest.
October 12th, 2010 7:21am
Hi,
Have you tried my steps about change local admin accounts?Shaon Shan| TechNet Subscriber Support in forum| If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2010 5:25am
I added/typed just the name of the group 'Administrators' instead of browsing to the location and adding it which was getting domain/administrators added.
Now it is working good.
Thanks Shaon.
November 29th, 2010 7:05am