No announcement yet.

Restrictive group policy conflict

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrictive group policy conflict


    Can you use group policy to put individual users into the local admin group of their own desktop and use restrictive group policy to stop anyone else being added?


    We have multiple remote sites that are all split up geographically by OU in AD (Win 2003). Each OU has a basic structure of Users, Workstations etc. GP currently puts Domain Admins and another admin group into the local administrators group on each workstation at these sites. There is only one user per site at the moment that in the custom admin group and we have used the restrictive group policy to stop them adding any other users or groups to the machines (as it removes them on every refresh). The remote site admin person has admin access to all the machines on his site.
    We now need to give some users local admin rights (donít ask why, its being forced Ė politics ) to only their machine. Of course the site admin can add them but the restrictive group policy takes them out again. We need to somehow give these individuals local admin while keeping the restrictive group policy (to stop others being added) and only on their own PC.

    Any ideas


  • #2
    Re: Restrictive group policy conflict

    If I understand correctly, you are using Group Policy Restricted Groups.
    And it should be (according to you explanation) the "Members" Restricted Group Portion of Policy:
    When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
    So, if yes, you can try the following scenario:
    Add appropriate users to local admin group on their own computers. Then use GPO filtering on Group Policy Restricted Groups GPO for those users. Example:
    Say that you add User1 to local admin group on him own computer. Now use GPMC, click on appropriate GPO, went to Delegation tab and click on Advanced button and you will receive ACL Editor of GPO:

    Now click Add button and add User1 to the list and than grant him Deny permission on Read and Apply Group Policy settings. So, next time user will not be removed on every refresh of GPO.
    Last edited by igor7; 26th July 2007, 10:03.


    • #3
      Re: Restrictive group policy conflict

      That looks good I'll give it a go and let you know!