Chris- Happy to help. If you are asking if you can add other users to a group that is managed by Restricted Groups, then the answer is, probably not. Restricted Groups has two modes. One mode takes total control over group membership--that sounds like the mode you are using. That mode will strip any "non-sanctioned users or groups" out of the controlled group each time GP security processing runs (every 16 hours by default or if anything has changed in GP). The other mode of Restricted Groups, which you may want to switch to, lets you add particular groups to other groups. That mode is non-exclusive, and your domain-linked GPO could add the groups it wants and you could add the groups you want locally using, for example an OU-linked policy or a startup script and the 'net localgroup' command. Hopefully that helps. Let us know if you have any other questions. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of christopher.cozzalio@xxxxxxxxxxx Sent: Wednesday, December 20, 2006 1:51 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Assistance Thank you sir. I had another question if that would be alright? Is it possible for a script or policy to do subsequent processing on an already restricted group? The goal is to allow non-admins to remote desktop to specific machines in an OU without having admin rights. Respectfully, Chris ----- Original Message ----- From: Darren Mar-Elia <darren@xxxxxxxxxx> Date: Wednesday, December 20, 2006 11:02 am Subject: [gptalk] Re: Assistance > Chris- > Welcome to the list. Because Restricted Groups policy, especially > the kind where you are replacing the total membership of a group, > does not merge, nor get undone if you block policy, the second > solution presented below if your best choice here. That is, in the > GPO linked to the OU where those computers exist, you would need > to create a new Restricted Groups policy for that Remote Desktop > Users group that includes all the groups defined in the domain > GPO, as well as the new one you wish to add. > > Darren > > > ************************ > Darren Mar-Elia > For comprehensive Windows Group Policy Information, check out > www.gpoguy.com-- the best source for GPO FAQs, video training, > tools and whitepapers. Also check out the Windows Group Policy > Guide, the definitive resource for Group Policy information. > > Download the new GPHealth Reporter trial version at > http://www.sdmsoftware.com/products.php > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk- > bounce@xxxxxxxxxxxxx] On Behalf Of christopher.cozzalio@xxxxxxxxxxx > Sent: Wednesday, December 20, 2006 9:58 AM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Assistance > > Sirs/Ma'ams, > > I'm new to the GPO arena and I've been tasked with the following > question. I have attached the question and an earlier suggested > "fix". I was told the prescribed "fix" was incorrect. I'd be most > appreciative for any advice or suggestions available. > > The question: > > In a lower OU from the root. The intent is to apply a policy that > puts a security group in ?Remote Desktop Users? on all of the > computers in that OU. The only hurdle is there is a policy > defined at the root level that puts J6 Administrators in that > group across the domain. > > The problem is to apply the policy just to the lower level OU > without changing the top level policy. > > The answer I was told was incorrect: > > Block inheritance at that OU and apply your new GPO at that OU. > This will block all GPO's from above unless they are "enforced" > and only > apply your new GPO. > > OR > > Create the new GPO at the OU and set the restricted group policy > the way you want it. Since it is at the OU it should override the > policy setting from the domain. > > The OU was enforced. > > Cheers for anything you can provide. > > Respectfully, > > SGT Chris Cozzalio > *********************** > You can unsubscribe from gptalk by sending email to gptalk- > request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the > list are available at //www.freelists.org/archives/gptalk/ > ************************ > > *********************** > You can unsubscribe from gptalk by sending email to gptalk- > request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR > by logging into the freelists.org Web interface. Archives for the > list are available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************