[gptalk] Re: Assistance

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Dec 2006 13:57:26 -0800

Chris-
Happy to help. 

If you are asking if you can add other users to a group that is managed by
Restricted Groups, then the answer is, probably not. Restricted Groups has
two modes. One mode takes total control over group membership--that sounds
like the mode you are using. That mode will strip any "non-sanctioned users
or groups" out of the controlled group each time GP security processing runs
(every 16 hours by default or if anything has changed in GP). The other mode
of Restricted Groups, which you may want to switch to, lets you add
particular groups to other groups. That mode is non-exclusive, and your
domain-linked GPO could add the groups it wants and you could add the groups
you want locally using, for example an OU-linked policy or a startup script
and the 'net localgroup' command. 

Hopefully that helps. Let us know if you have any other questions.

Darren



-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of christopher.cozzalio@xxxxxxxxxxx
Sent: Wednesday, December 20, 2006 1:51 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Assistance

Thank you sir.  

I had another question if that would be alright?

Is it possible for a script or policy to do subsequent processing on an
already restricted group?  

The goal is to allow non-admins to remote desktop to specific machines in an
OU without having admin rights.

Respectfully,

Chris

----- Original Message -----
From: Darren Mar-Elia <darren@xxxxxxxxxx>
Date: Wednesday, December 20, 2006 11:02 am
Subject: [gptalk] Re: Assistance

> Chris-
> Welcome to the list. Because Restricted Groups policy, especially 
> the kind where you are replacing the total membership of a group, 
> does not merge, nor get undone if you block policy, the second 
> solution presented below if your best choice here. That is, in the 
> GPO linked to the OU where those computers exist, you would need 
> to create a new Restricted Groups policy for that Remote Desktop 
> Users group that includes all the groups defined in the domain 
> GPO, as well as the new one you wish to add.
> 
> Darren
> 
> 
> ************************
> Darren Mar-Elia
> For comprehensive Windows Group Policy Information, check out 
> www.gpoguy.com-- the best source for GPO FAQs, video training, 
> tools and whitepapers. Also check out the Windows Group Policy 
> Guide, the definitive resource for Group Policy information. 
> 
> Download the new GPHealth Reporter trial version at 
> http://www.sdmsoftware.com/products.php
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-
> bounce@xxxxxxxxxxxxx] On Behalf Of christopher.cozzalio@xxxxxxxxxxx
> Sent: Wednesday, December 20, 2006 9:58 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Assistance
> 
> Sirs/Ma'ams,
> 
> I'm new to the GPO arena and I've been tasked with the following 
> question.  I have attached the question and an earlier suggested 
> "fix". I was told the prescribed "fix" was incorrect. I'd be most 
> appreciative for any advice or suggestions available.  
> 
> The question:
> 
> In a lower OU from the root.  The intent is to apply a policy that 
> puts a security group in ?Remote Desktop Users? on all of the 
> computers in that OU.  The only hurdle is there is a policy 
> defined at the root level that puts J6 Administrators in that 
> group across the domain.
> 
> The problem is to apply the policy just to the lower level OU 
> without changing the top level policy.
> 
> The answer I was told was incorrect:
> 
> Block inheritance at that OU and apply your new GPO at that OU. 
> This will block all GPO's from above unless they are "enforced" 
> and only 
> apply your new GPO.
> 
> OR
> 
> Create the new GPO at the OU and set the restricted group policy 
> the way you want it.  Since it is at the OU it should override the 
> policy setting from the domain.
> 
> The OU was enforced. 
> 
> Cheers for anything you can provide.
> 
> Respectfully,
> 
> SGT Chris Cozzalio
> ***********************
> You can unsubscribe from gptalk by sending email to gptalk-
> request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to gptalk-
> request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: