[gptalk] Re: Restricted Groups - appending to local administrators

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 7 Sep 2007 11:59:46 -0700

Just type in the name of the local group and don't worry about specifying your 
workstation name.


Remember that the GPO will be linked to an OU that contains the PCs you want to 
apply the policy to and it will just look for the local group that has the name 
you specify. See the figure for adding the domain "HelpDesk" group to the local 
computers Remote Desktop Users group.






From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Johnson, Matthew
Sent: Friday, September 07, 2007 11:14 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Restricted Groups - appending to local administrators


Here is what happens when I try following the instructions from Thorbjörn 
Sjövold (see below).

1)       I create the GPO

2)       I go to the Restricted Groups, Right click and Choose Add Group

3)       I browse and select the domain group which I want to add to the local 
administrators group and click OK

4)       I click Add under the section which says "This group is a member of"

5)       I click Browse and then click the Locations button to choose my local 
computer rather than the domain

Here's where the problem occurs

6)       Once I do that, the field for Object Type goes blank (instead of 
saying Groups)

So essentially it's not looking for any object type.  I try typing in 

LocalComputerName\administrators             but it can't find it.

Thanks for any assistance.


Matthew Johnson


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of ca11235
Sent: Wednesday, September 05, 2007 5:46 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Restricted Groups - appending to local administrators




Sorry for the slow thanks - my mail forwarding has gone a bit awol.  Thanks for 
the replies.



On 30/08/07, Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx> wrote: 

Col, see below for an answer that I gave previously, this seem to be very 
common question J








Actually it is both possible to both mirror and add, the latter is done using 
the  "This group is a member of:" part of the Restricted Groups settings, but 
you have to select the groups in "reverse" order, i.e. first the group you want 
to add and then where you want it, while in the normal case you select the 
group to manage and then who should be in it.


So if you for example want to have Domains Admins added to the local 
Administrators group, you select Add Group... in the Restricted Groups node, 
then select Domain Admins from your domain and in the "This group is a member 
of:" you select the Administrators group. Remember to select the local computer 
in the Object Picker when you browse for the local group. 



Thorbjörn Sjövold

Special Operations Software

www.specopssoft.com <http://www.specopssoft.com/> 

thorbjorn.sjovold a t specopssoft.com <http://specopssoft.com/> 


Download our free tool for remote Gpupdate with graphical reporting, 







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Auld Colin
Sent: den 30 augusti 2007 15:29
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Restricted Groups - appending to local administrators 


Is there a way to *add* a member to the local administrators group on a member 
server using Restricted Groups?  I know that, normally, a Restricted Group 
policy will remove any existing members and replace them with those set in the 
policy.  But what I'd like to do is use Restricted Groups to extend the list 
i.e. leave the existing members as they are...


|* This e-mail, and any attachments, is confidential and for the use of the 
addressee only.

|* If you are not the intended recipient, please telephone +44 (0) 1506 408700

|* We do not accept legal responsibility for this e-mail or any viruses.

|* All e-mails sent and received by us are monitored.

|* Contracts cannot be concluded with us by e-mail.

|* This message has been sent from a member of the British Energy Group (the 

|* The parent company of the Group is British Energy Group plc, a company 
registered in Scotland, registered number 270184, and having its registered 
office at

|* Systems House, Alba Campus, Livingston EH54 7EG



PNG image

Other related posts: