Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > GPO
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Creating A Restricted Group

Creating A Restricted Group

this thread has 11 replies and has been viewed 22678 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 10th January 2007, 01:32
joopdog joopdog is offline
Casual
Casual
 
 Join Date: Sep 2006
  6 month star 12 month star
 Location: Florida, USA
 Posts: 42
 Reputation: joopdog is on a distinguished road (33)
Default Creating A Restricted Group

Restricted Group

I want to use restricted group but I’m a little bit confuse.

I want to achieve the following:

I want to enable some users such as, test, test1 and test3 to have administration privileges. Simply put, to have selected users put in the Local Administrators group.

How do I accomplish this?

I’ve done the following:
1. In Active Directory I created a Domain Local Group with Security group type called Test_local_group.
2. I then included the users test2, test3, test4, and test5 as members of the Test_local_group.
3. Next step I created an Organizational Unit named “My Management Admin”.
4. I created a GPO named “Restricted Group Policy Object” under the OU “My Management Admin”.
5. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name GREATBAY\Test_local_admin
6. Then I edited “This group is a member of:” by adding Administrators.
7. At the DOS prompt I ran gpupdate /force.

When I logon into the XP sp2 workstation (SPARE11) user test4 does not have administrative privileges.

I then ran gpresult /v>c:\gp_report_test4.txt on the XP sp2 workstation (SPARE11). You may see the attached results of the file.

I want to add a Domain group to a local group on a workstation.

Please assist
Attached Thumbnails
Click image for larger version

Name:	gpo_restricted_01.jpg
Views:	1160
Size:	58.0 KB
ID:	1052   Click image for larger version

Name:	gpo_restricted_02.jpg
Views:	1131
Size:	69.3 KB
ID:	1053   Click image for larger version

Name:	gpo_restricted_03.jpg
Views:	890
Size:	45.6 KB
ID:	1054   Click image for larger version

Name:	gpo_restricted_04.jpg
Views:	673
Size:	22.6 KB
ID:	1055  
Attached Files
File Type: txt gp_report_test4.txt (9.0 KB, 263 views)
  #2  
Old 10th January 2007, 05:30
JeremyW JeremyW is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Washington DC metro area
 Posts: 3,765
 Reputation: JeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to all (550)
Default Re: Creating A Restricted Group

joopdog, I must commend you on your post. All the information I could ask for was there (through the pictures and text and attachment)

To your problem:
You'll need to put the computers you want affected by this GPO in to the My Management Admin OU.

GPOs can be applied to users and/or computers. For the GPO to apply to a user or computer that user or computer needs to be within the hierarchy that the GPO is linked to.

To understand more http://technet2.microsoft.com/Window....mspx?mfr=true

And even deeper... http://technet2.microsoft.com/Window....mspx?mfr=true
__________________
Regards,
Jeremy

Network Consultant/Engineer
Baltimore - Washington area and beyond
www.gma-cpa.com
  #3  
Old 10th January 2007, 10:05
sorinso's Avatar
sorinso sorinso is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Haifa, Israel
 Posts: 3,065
 Reputation: sorinso is a name known to allsorinso is a name known to allsorinso is a name known to allsorinso is a name known to allsorinso is a name known to allsorinso is a name known to all (561)
Lightbulb Re: Creating A Restricted Group

Hi, joopdog.
I would like to add few things:
- beware when you use the "Enforce" flag. If you linked the GPO to the My Management Admin OU, that does not have additional OUs underneath, it's useless. From the other hand, it might get you in trouble if you link the GPO to a higher container.
- if you don't have settings in one of the branches of a specific GPO, disable it. In your case, the User Settings branch is empty in this GPO. It should be disabled (in the GPMC, right-click the GPO -> Status -> User Configuration Settings Disabled). This will prevent it from being scanned when a user logs in. If you have a lot of GPOs to be processed, such useless scan can prolong the login process. It's a good practice.
Not really a reply, more than some thoughts that came to me while reading your post
Good luck and keep the forum posted.
__________________

Sorin Solomon

»»»»»
In order to succeed, your desire for success should be greater than your fear of failure.
- Bill Cosby
«««««
  #4  
Old 10th January 2007, 21:34
Rems's Avatar
Rems Rems is offline
Moderator
 
 Join Date: Mar 2005
  6 month star 12 month star
 Location: NL
 Posts: 2,431
 Reputation: Rems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to behold (965)
Default Re: Creating A Restricted Group

There is one thing to keep in mind when restricting the local group Administrators that is you have to add the original members of, in particular, this localgroup also to that Resticted Group.

first, About the steps 4 and 5 at "I’ve done the following":
5. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name GREATBAY\Test_local_admin
6. Then I edited “This group is a member of:” by adding Administrators.


5 should be:
Edit the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name: Administrators (the name typed here must be the name of an EXISTING local group)
6. Should be:
Then add “Members of this group":
- GREATBAY\Test_local_admin
second, Because the policy will overwrite the content of the original group, do NOT forget to add also these default members of that group:
- GREATBAY\Domain Admins
- AdministatoR
(that last member is the local administrator account on the client, so do not add the domainname to that one)

\Rem

Last edited by Rems; 10th January 2007 at 23:30..
  #5  
Old 11th January 2007, 00:57
joopdog joopdog is offline
Casual
Casual
 
 Join Date: Sep 2006
  6 month star 12 month star
 Location: Florida, USA
 Posts: 42
 Reputation: joopdog is on a distinguished road (33)
Default Re: Creating A Restricted Group

Quote:
Originally Posted by JeremyW View Post
joopdog, I must commend you on your post. All the information I could ask for was there (through the pictures and text and attachment) :
Thank you for the compliment.

Okay, I did the following:
1. JeremyW suggested that I move the users from the Users container to the OU “My Management Admin”. I moved users test3, test4 and test5.
2. I modified the GPO “Restricted Group Policy Object” just as Rems suggested. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I removed the group name “GREATBAY\Test_local_admin” and created a new group called “Administrators”.
3. Then I edited the “Members of this group:” by adding the following: GREATBAY\Admin, GREATBAY\Administrator and GREATBAY\Domain Admins.
4. At the DOS prompt I ran gpupdate /force.

I see some progress.

When I ran gpresult /v>c:\gp_report_test3.txt on the XP sp2 workstation (SPARE11) I see “Restricted Group Policy Object” along with Default Domain Policy and Local Group Policy under User Settings. This is good. However, under Computer Settings I see Restricted Groups nothing. And my user test3 still does not have administrative privileges.

Am I missing something, I’m so close. Please see attached files for assistance.

Please assist.
Attached Thumbnails
Click image for larger version

Name:	gpo_restricted1_01.jpg
Views:	619
Size:	69.6 KB
ID:	1059   Click image for larger version

Name:	gpo_restricted1_02.jpg
Views:	411
Size:	31.2 KB
ID:	1060  
Attached Files
File Type: txt gp_report_test3.txt (9.6 KB, 156 views)
File Type: pdf GPOs_test3 on SPARE11-192.168.100.26.pdf (53.6 KB, 381 views)
  #6  
Old 11th January 2007, 01:10
JeremyW JeremyW is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Washington DC metro area
 Posts: 3,765
 Reputation: JeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to all (550)
Default Re: Creating A Restricted Group

Quote:
Originally Posted by joopdog View Post
1. JeremyW suggested that I move the users from the Users container to the OU “My Management Admin”.
I most certanly did NOT say USERS!!!!
I said computers. In your case this would be SPARE11.
__________________
Regards,
Jeremy

Network Consultant/Engineer
Baltimore - Washington area and beyond
www.gma-cpa.com
  #7  
Old 11th January 2007, 11:24
Rems's Avatar
Rems Rems is offline
Moderator
 
 Join Date: Mar 2005
  6 month star 12 month star
 Location: NL
 Posts: 2,431
 Reputation: Rems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to behold (965)
Default Re: Creating A Restricted Group

Quote:
Originally Posted by joopdog
3. Then I edited the “Members of this group:” by adding the following: GREATBAY\Admin, GREATBAY\Administrator and GREATBAY\Domain Admins.
No, that are not the memers I told;
Add only these 3 members:
GREATBAY\Test_local_admin
GREATBAY\Domain Admins
AdministatoR

(that last member is the local administrator account on the client, so do not add the domainname to that one)

Where the group "GREATBAY\Test_local_admin" is the group you created in active directory with contains the test useraccounts that you created before in the activedirectory.

After you finished the GPO where you create the restricted group, link this GPO to the OU that contains the computeraccount SPARE11.
After that restart SPARE11 (twice),
and see if the group GREATBAY\Test_local_admin is now added on that computer to its local Administrators group.

\Rem

Last edited by Rems; 11th January 2007 at 11:27..
  #8  
Old 11th January 2007, 18:25
joopdog joopdog is offline
Casual
Casual
 
 Join Date: Sep 2006
  6 month star 12 month star
 Location: Florida, USA
 Posts: 42
 Reputation: joopdog is on a distinguished road (33)
Default Re: Creating A Restricted Group

Okay, here’s what I did:
1. JeremyW strongly said to move the computers to the OU “My Management Admin”. I moved computers spare9, spare10 and spare11.
2. I modified the GPO “Restricted Group Policy Object” just as Rems suggested. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I created a new group called “Administrators”.
3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.
4. At the DOS prompt I ran gpupdate /force.
5. I re-booted the spare9, spare10 and spare11 computers.
6. Everything looked great. I finally saw the “GREATBAY\Test_local_admin” in the Local Administrators group. However, the test4 did NOT have administrative privileges.
7. I then took the initiative and created another group in Active Directory called GREATBAY\Local_Admin_Group with Global group scope and Security group type.
8. IT WORKED!!! “GREATBAY\Local_Admin_Group” was added to the Local Administrators group and Test4 had administrative privileges.
9. You see “GREATBAY\Test_local_admin” had Domain local group scope and Security group type. I found that this does not work. The group name in Active Directory must have Global group scope NOT Domain local.
10. I went one step further.
11. I created a group in Active Directory called “Local_PowerUsers_Group”.
12. I modified the GPO “Restricted Group Policy Object”. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I created another group along with “Administrators” called “Power Users”.
13. Then I edited the “Power Users” group and the “Members of this group:” by adding the following: GREATBAY\Local_PowerUsers_Group.
14. At the DOS prompt I ran gpupdate /force.
15. Re-booted the spare9, spare10 and spare11 computers.
16. IT WORKED!!! Test6 had power users privileges.

JeremyW and Rems, you guys are amazing. I must commend you guys for your knowledge and patience with me.

Thank you, thank you thank you.

Last edited by joopdog; 12th January 2007 at 16:32..
  #9  
Old 11th January 2007, 18:58
JeremyW JeremyW is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Washington DC metro area
 Posts: 3,765
 Reputation: JeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to all (550)
Default Re: Creating A Restricted Group

Glad to help.

Joopdog, we'd appreciate it if you could grant some reputation points to the user that helped you. (Rems) Just click on the little Yin-Yang icon on the right of Rem's answer and follow the prompt.

(Yes, this is direct plagiarism of Daniel's line )
__________________
Regards,
Jeremy

Network Consultant/Engineer
Baltimore - Washington area and beyond
www.gma-cpa.com
  #10  
Old 11th January 2007, 21:09
Rems's Avatar
Rems Rems is offline
Moderator
 
 Join Date: Mar 2005
  6 month star 12 month star
 Location: NL
 Posts: 2,431
 Reputation: Rems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to beholdRems is a splendid one to behold (965)
Default Re: Creating A Restricted Group

Nice job joopdog! to add a new AD group to the restricted group rather than to add individual domainusers - this is the best way to control the local privileges for users.

Things to keep in mind when you want to restrict standard groups;
  • to restict the local group "Administrators" you always have to add the standard memberschips also manualy to the list of members of the restricted group.
  • to restrict the local group "Power Users", or
    to restrict the local group "Remote Desktop Users" you do not have to add any additional standard members. But the point here is that these groups have English names. That means that on clients with non-English OS'es you have to use the localized name of that group for the name of the restricted group.
    Or better in that case use the english- and all the necessary localized names. That is no problem because the names of the restricted groups that are unknown on the client just will be ignored.
Still one comment for step 3! this is how it realy should be;
3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.

\Rem

Last edited by Rems; 11th January 2007 at 21:19..
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
TS Users Restricted IP scyzo Terminal Services 1 22nd August 2006 14:08
creating an installers group? Maxwell Shivers Active Directory 2 3rd November 2005 01:38
Restricted Internet Mail Recipient in a distribution group AndyH Exchange 2000 / 2003 0 5th August 2004 07:38
Active.Directory: Restricted.Group in a domain. azmantek Active Directory 9 4th August 2004 06:04
Restricted Group orven Active Directory 0 14th May 2004 10:48


All times are GMT +3. The time now is 17:03.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri