Announcement

Collapse
No announcement yet.

Creating A Restricted Group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Creating A Restricted Group

    Restricted Group

    I want to use restricted group but I’m a little bit confuse.

    I want to achieve the following:

    I want to enable some users such as, test, test1 and test3 to have administration privileges. Simply put, to have selected users put in the Local Administrators group.

    How do I accomplish this?

    I’ve done the following:
    1. In Active Directory I created a Domain Local Group with Security group type called Test_local_group.
    2. I then included the users test2, test3, test4, and test5 as members of the Test_local_group.
    3. Next step I created an Organizational Unit named “My Management Admin”.
    4. I created a GPO named “Restricted Group Policy Object” under the OU “My Management Admin”.
    5. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name GREATBAY\Test_local_admin
    6. Then I edited “This group is a member of:” by adding Administrators.
    7. At the DOS prompt I ran gpupdate /force.

    When I logon into the XP sp2 workstation (SPARE11) user test4 does not have administrative privileges.

    I then ran gpresult /v>c:\gp_report_test4.txt on the XP sp2 workstation (SPARE11). You may see the attached results of the file.

    I want to add a Domain group to a local group on a workstation.

    Please assist
    Attached Files

  • #2
    Re: Creating A Restricted Group

    joopdog, I must commend you on your post. All the information I could ask for was there (through the pictures and text and attachment)

    To your problem:
    You'll need to put the computers you want affected by this GPO in to the My Management Admin OU.

    GPOs can be applied to users and/or computers. For the GPO to apply to a user or computer that user or computer needs to be within the hierarchy that the GPO is linked to.

    To understand more http://technet2.microsoft.com/Window....mspx?mfr=true

    And even deeper... http://technet2.microsoft.com/Window....mspx?mfr=true
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Creating A Restricted Group

      Hi, joopdog.
      I would like to add few things:
      - beware when you use the "Enforce" flag. If you linked the GPO to the My Management Admin OU, that does not have additional OUs underneath, it's useless. From the other hand, it might get you in trouble if you link the GPO to a higher container.
      - if you don't have settings in one of the branches of a specific GPO, disable it. In your case, the User Settings branch is empty in this GPO. It should be disabled (in the GPMC, right-click the GPO -> Status -> User Configuration Settings Disabled). This will prevent it from being scanned when a user logs in. If you have a lot of GPOs to be processed, such useless scan can prolong the login process. It's a good practice.
      Not really a reply, more than some thoughts that came to me while reading your post
      Good luck and keep the forum posted.

      Sorin Solomon

      »»»»»
      In order to succeed, your desire for success should be greater than your fear of failure.
      -
      «««««

      Comment


      • #4
        Re: Creating A Restricted Group

        There is one thing to keep in mind when restricting the local group Administrators that is you have to add the original members of, in particular, this localgroup also to that Resticted Group.

        first, About the steps 4 and 5 at "I’ve done the following":
        5. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name GREATBAY\Test_local_admin
        6. Then I edited “This group is a member of:” by adding Administrators.


        5 should be:
        Edit the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name: Administrators (the name typed here must be the name of an EXISTING local group)
        6. Should be:
        Then add “Members of this group":
        - GREATBAY\Test_local_admin
        second, Because the policy will overwrite the content of the original group, do NOT forget to add also these default members of that group:
        - GREATBAY\Domain Admins
        - AdministatoR
        (that last member is the local administrator account on the client, so do not add the domainname to that one)

        \Rem
        Last edited by Rems; 10th January 2007, 21:30.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Creating A Restricted Group

          Originally posted by JeremyW View Post
          joopdog, I must commend you on your post. All the information I could ask for was there (through the pictures and text and attachment) :
          Thank you for the compliment.

          Okay, I did the following:
          1. JeremyW suggested that I move the users from the Users container to the OU “My Management Admin”. I moved users test3, test4 and test5.
          2. I modified the GPO “Restricted Group Policy Object” just as Rems suggested. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I removed the group name “GREATBAY\Test_local_admin” and created a new group called “Administrators”.
          3. Then I edited the “Members of this group:” by adding the following: GREATBAY\Admin, GREATBAY\Administrator and GREATBAY\Domain Admins.
          4. At the DOS prompt I ran gpupdate /force.

          I see some progress.

          When I ran gpresult /v>c:\gp_report_test3.txt on the XP sp2 workstation (SPARE11) I see “Restricted Group Policy Object” along with Default Domain Policy and Local Group Policy under User Settings. This is good. However, under Computer Settings I see Restricted Groups nothing. And my user test3 still does not have administrative privileges.

          Am I missing something, I’m so close. Please see attached files for assistance.

          Please assist.
          Attached Files

          Comment


          • #6
            Re: Creating A Restricted Group

            Originally posted by joopdog View Post
            1. JeremyW suggested that I move the users from the Users container to the OU “My Management Admin”.
            I most certanly did NOT say USERS!!!!
            I said computers. In your case this would be SPARE11.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Creating A Restricted Group

              Originally posted by joopdog
              3. Then I edited the “Members of this group:” by adding the following: GREATBAY\Admin, GREATBAY\Administrator and GREATBAY\Domain Admins.
              No, that are not the memers I told;
              Add only these 3 members:
              GREATBAY\Test_local_admin
              GREATBAY\Domain Admins
              AdministatoR

              (that last member is the local administrator account on the client, so do not add the domainname to that one)

              Where the group "GREATBAY\Test_local_admin" is the group you created in active directory with contains the test useraccounts that you created before in the activedirectory.

              After you finished the GPO where you create the restricted group, link this GPO to the OU that contains the computeraccount SPARE11.
              After that restart SPARE11 (twice),
              and see if the group GREATBAY\Test_local_admin is now added on that computer to its local Administrators group.

              \Rem
              Last edited by Rems; 11th January 2007, 09:27.

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: Creating A Restricted Group

                Okay, here’s what I did:
                1. JeremyW strongly said to move the computers to the OU “My Management Admin”. I moved computers spare9, spare10 and spare11.
                2. I modified the GPO “Restricted Group Policy Object” just as Rems suggested. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I created a new group called “Administrators”.
                3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.
                4. At the DOS prompt I ran gpupdate /force.
                5. I re-booted the spare9, spare10 and spare11 computers.
                6. Everything looked great. I finally saw the “GREATBAY\Test_local_admin” in the Local Administrators group. However, the test4 did NOT have administrative privileges.
                7. I then took the initiative and created another group in Active Directory called GREATBAY\Local_Admin_Group with Global group scope and Security group type.
                8. IT WORKED!!! “GREATBAY\Local_Admin_Group” was added to the Local Administrators group and Test4 had administrative privileges.
                9. You see “GREATBAY\Test_local_admin” had Domain local group scope and Security group type. I found that this does not work. The group name in Active Directory must have Global group scope NOT Domain local.
                10. I went one step further.
                11. I created a group in Active Directory called “Local_PowerUsers_Group”.
                12. I modified the GPO “Restricted Group Policy Object”. I did this by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. I created another group along with “Administrators” called “Power Users”.
                13. Then I edited the “Power Users” group and the “Members of this group:” by adding the following: GREATBAY\Local_PowerUsers_Group.
                14. At the DOS prompt I ran gpupdate /force.
                15. Re-booted the spare9, spare10 and spare11 computers.
                16. IT WORKED!!! Test6 had power users privileges.

                JeremyW and Rems, you guys are amazing. I must commend you guys for your knowledge and patience with me.

                Thank you, thank you thank you.
                Last edited by joopdog; 12th January 2007, 14:32.

                Comment


                • #9
                  Re: Creating A Restricted Group

                  Glad to help.

                  Joopdog, we'd appreciate it if you could grant some reputation points to the user that helped you. (Rems) Just click on the little Yin-Yang icon on the right of Rem's answer and follow the prompt.

                  (Yes, this is direct plagiarism of Daniel's line )
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Creating A Restricted Group

                    Nice job joopdog! to add a new AD group to the restricted group rather than to add individual domainusers - this is the best way to control the local privileges for users.

                    Things to keep in mind when you want to restrict standard groups;
                    • to restict the local group "Administrators" you always have to add the standard memberschips also manualy to the list of members of the restricted group.
                    • to restrict the local group "Power Users", or
                      to restrict the local group "Remote Desktop Users" you do not have to add any additional standard members. But the point here is that these groups have English names. That means that on clients with non-English OS'es you have to use the localized name of that group for the name of the restricted group.
                      Or better in that case use the english- and all the necessary localized names. That is no problem because the names of the restricted groups that are unknown on the client just will be ignored.
                    Still one comment for step 3! this is how it realy should be;
                    3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.

                    \Rem
                    Last edited by Rems; 11th January 2007, 19:19.

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: Creating A Restricted Group

                      Originally posted by Rems View Post
                      Still one comment for step 3! this is how it realy should be;
                      3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.

                      \Rem
                      Ooops!!
                      Spelling Error:
                      3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.

                      It's Administrator... not "Administrators" that I had in the previous posts.

                      Sorry.

                      Comment


                      • #12
                        Re: Creating A Restricted Group

                        Originally posted by Rems View Post
                        Nice job joopdog! to add a new AD group to the restricted group rather than to add individual domainusers - this is the best way to control the local privileges for users.

                        Things to keep in mind when you want to restrict standard groups;
                        • to restict the local group "Administrators" you always have to add the standard memberschips also manualy to the list of members of the restricted group.
                        • This is only the case if you use "Member" and not "MemberOf" section in the settings of the restricted groups.

                          Originally posted by Rems View Post
                          But the point here is that these groups have English names. That means that on clients with non-English OS'es you have to use the localized name of that group for the name of the restricted group.
                          Or better in that case use the english- and all the necessary localized names. That is no problem because the names of the restricted groups that are unknown on the client just will be ignored.
                        This is not quite correct as when saving the GPO, the editor tries to resolve the name of the group to SID and if it is resolvable, it will store the group SID in the GPO configuration and not the group name. Only if the group name is not resolvable from the computer you edit the GPO, you will need to take the language into account.

                        Originally posted by Rems View Post
                        Still one comment for step 3! this is how it realy should be;
                        3. Then I edited the “Members of this group:” by adding the following: Administrator, GREATBAY\Domain Admins and GREATBAY\Test_local_admin.
                        Local Administrator account does not need to be added explicitly - the GPO security extension ALWAYS adds local Administrator account to local Administrators group.

                        And a general comment: you guys have presented 2 different ways of configuring resttricted groups and there is a difference in how those 2 behave.

                        Approach 1: Using Member section
                        You select a group and explicitly configure it's group membership. Any account (except local Administrator) that is not defined in GPO will be removed from that group and all the accounts defined in the GPO will be added to the restricted group.

                        Approach 2: Using MemberOf section
                        You pick a group (this is the restricted group you select in the first dialog) and say: Hey ! I want this group to be added to some other group, but I do not want to change anything about accounts that are already members of this group.
                        In this way you do not override, but add your restricted group to another group.
                        i.e.: I want to add Helpdesk group to local Administrators, but I do not want to remove any members that are already in the Administrators group on the workstations. In this case I will configure restricted group Heldesk as MemberOf Administrators group.
                        Guy Teverovsky
                        http://blogs.technet.com/b/isrpfeplat/
                        "Smith & Wesson - the original point and click interface"

                        Comment

                        Working...
                        X