Thanks a lot for the descriptive reply Omar. This has caused nothing but problems for me :-( _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Omar Droubi Sent: 16 October 2006 21:10 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Restricted Groups Sorry- No revert option. Restricted groups in GPO will overwrite the members and when turned off it just leaves the existing members as is. So what to do now???? In many companies the end user is manually added to the local administrator group (especially with laptops). So in this situation you may want to consider the security no no of adding the domain users group to the local admin group on all machines running a client os (win 2k pro and win xp pro) after that is done the initial problem is fixed as soon as the update takes place in the group and the end user logs off and back logs back on. Now for after the fire is put out how do you fix the issue and put these users back? This is the dilemma that windows administrators, including myself, have been fighting for the past 10 years or so. There is no simple method of determining who is the correct user that should be added to that local group. One option is to run a script that reads the c:\documents and settings\ and reads all subfolders- or user profile cache list and adds those users to the local admin group. This can be a challenge both from a scripting perspective as well as getting good results. Now option 2- If you follow the security no no of adding the domain users to the local admin until this is resolved- you can add a line or add a new logon script 'net localgroup administrators /add %username%" This will error if the user is already listed explicitly but if he is just a member of the group it will add that explicit user. A few weeks after adding that logon script you can run a separate script to query each local machine and read the local administrators group and if 'Domain users" is a member- remove it. But the logic to remove the domain users must check for additional accounts like local administrator and Domain Admins before you dump the Domain users group. Best of luck- and next time test your GPO in an isolated GPO- or lock down who can manage and link GPO's in your AD forest. Hope this helps- please excuse any typos- running on too much coffee.............................. Omar _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Lewis Sent: Monday, October 16, 2006 12:32 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Restricted Groups Hi guys. It would seem as though some particular users have been applied to the local admins groups to all clients across our domain. This has been initiated via the Restricted Groups option within Group Policy but has now caused all the existing local admins to be removed from the clients. Despite removing the applicable users from the Restricted Groups and setting the GPO back to not configured, they're still applied. Is there a way to set this back to the previous state? Any advice would be greatly appreciated. Cheers Ray