[gptalk] Re: Restricted Groups

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 16 Oct 2006 13:09:39 -0700

Sorry- No revert option.
Restricted groups in GPO will overwrite the members and when turned off it
just leaves the existing members as is.
So what to do now????
In many companies the end user is manually added to the local administrator
group (especially with laptops).
So in this situation you may want to consider the security no no of adding
the domain users group to the local admin group on all machines running a
client os (win 2k pro and win xp pro)
after that is done the initial problem is fixed as soon as the update takes
place in the group and the end user logs off and back logs back on.
Now for after the fire is put out how do you fix the issue and put these
users back? This is the dilemma that windows administrators, including
myself, have been fighting for the past 10 years or so. There is no simple
method of determining who is the correct user that should be added to that
local group.
One option is to run a script that reads the c:\documents and settings\ and
reads all subfolders- or user profile cache list and adds those users to the
local admin group. This can be a challenge both from a scripting perspective
as well as getting good results.
Now option 2- If you follow the security no no of adding the domain users to
the local admin until this is resolved- you can add a line or add a new
logon script  'net localgroup administrators /add %username%"
This will error if the user is already listed explicitly  but if he is just
a member of the group it will add that explicit user.  A few weeks after
adding that logon script you can run a separate script to query each local
machine and read the local administrators group and if 'Domain users" is a
member- remove it. But the logic to remove the domain users must check for
additional accounts like local administrator and Domain Admins before you
dump the Domain users group.
Best of luck- and next time test your GPO in an isolated GPO- or lock down
who can manage and link GPO's in your AD forest.
Hope this helps- please excuse any typos- running on too much


 From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ray Lewis
Sent: Monday, October 16, 2006 12:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Restricted Groups

Hi guys.


It would seem as though some particular users have been applied to the local
admins groups to all clients across our domain. This has been initiated via
the Restricted Groups option within Group Policy but has now caused all the
existing local admins to be removed from the clients. Despite removing the
applicable users from the Restricted Groups and setting the GPO back to not
configured, they're still applied. Is there a way to set this back to the
previous state? Any advice would be greatly appreciated.





Other related posts: