Announcement

Collapse
No announcement yet.

Creating A Restricted Group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Creating A Restricted Group

    Restricted Group

    I want to use restricted group but I’m a little bit confuse.

    I want to achieve the following:

    I want to enable all users to have local administration privileges.

    How do I accomplish this?

    I’ve done the following:
    1. I created an Organizational Unit named “AdminComputers”.
    2. I created a GPO named “Restricted Group Policy Object” under the OU “AdminComputers”.
    3. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name DOMAIN\Administrators
    4. Then I edited “This group is a member of:” by adding Administrator, DOMAIN\Domain Users.
    5. At the DOS prompt I ran gpupdate /force.

    When I logon into the XP sp# workstation, user does not have administrative privileges.

    I want to add a Domain group to a local group on a workstation.


    This text is copyed from topic:
    http://forums.petri.com/showthread.php?t=12489&page=2

    The reason why im creating new one is then i did everything what was says in that topic but it still doesnt work.

    Thx for ANY help.

  • #2
    Re: Creating A Restricted Group

    1. I created an Organizational Unit named “AdminComputers”.
    2. I created a GPO named “Restricted Group Policy Object” under the OU “AdminComputers”.
    3. I edited the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. And adding the Group Name DOMAIN\Administrators
    4. Then I edited “This group is a member of:” by adding Administrator, DOMAIN\Domain Users.
    It looks like what you've done is not quite right.

    In step 3, I think you should have added the group "BuiltIn\Administrators", and then put the following into it in step 4:

    DOMAIN\Domain Admins, DOMAIN\Domain Users, <any others>

    The list you put in the policy will be the ENTIRE Administrators group on affected computers; i.e. it doesn't add to the group, it replaces anything which is there already - so be sure to add any other groups you want in there as well. If you remove Domain Users later, you want to make sure that Desktop Support are still local admins afterwards.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Creating A Restricted Group

      p.s. The "BuiltIn\Administrators" group maps to the local admins group on affected machines.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Creating A Restricted Group

        Well i tryed the following:
        Group: builtin\administrators

        members:domain\users

        and also

        members:NULL
        member of: domain\users

        and nothing is working

        Comment


        • #5
          Re: Creating A Restricted Group

          OK... have you run a Resultant Set of Policy report on that computer to see what policies are being applied?

          p.s. it should have been DOMAIN\Domain Users - NOT DOMAIN\Users this is the default group for all users in the domain.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Creating A Restricted Group

            its domain\domain users ... i just want to make it short.

            i attached gp result
            Attached Files

            Comment


            • #7
              Re: Creating A Restricted Group

              ugh... I'm sorry I don't understand it! Can you translate please?


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: Creating A Restricted Group

                I think he did mean Domain Users but was just writing in short hand and unfortunately picked a shorthand name that did already exist. (I was trying to make that sentence much longer too )
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Creating A Restricted Group

                  Don't use the name: builtin\administrators , enter just: Administrators
                  Or better,
                  Edit the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups.
                  Add Group, -> Browse the computer, and select Administrators (However the computer is able to translate standard buildin Groupnames to its Well-known SID and vice versa - by using the Browse option you just ensure that group will be identified by its SID on the client. Install GPMC on a client, if you also like to select typical WinXP builtin groups this way - if you should enter an unknown builtin group name for the computer you are running the GPMC on, the groupname will become just a name and therefore client OS language dependent.).

                  Then,
                  add "Members of this group"
                  Browse select Groups, "from this location": Entire Directory, DOMAIN.LOCAL
                  select the group: "Domain Admins" and for your question also the group: "Domain Users" (domainname\Domain Users).


                  \Rems
                  Last edited by Rems; 19th September 2008, 10:44.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Creating A Restricted Group

                    Originally posted by AndyJG247 View Post
                    I think he did mean Domain Users but was just writing in short hand and unfortunately picked a shorthand name that did already exist. (I was trying to make that sentence much longer too )
                    Yes - he said that. Look at the text file to see what I wanted translating.


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: Creating A Restricted Group

                      Originally posted by Rems View Post
                      Don't use the name: builtin\administrators , enter just: Administrators

                      This worked for me - but you may be right about translating names etc

                      Or better,
                      Edit the GPO “Restricted Group Policy Object” by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups.
                      Add Group, -> Browse the computer, and select Administrators (However the computer is able to translate standard buildin Groupnames to an uniqe part if its SID and vice versa - by using the Browse option you just ensure that group will be identified by its unique SID on the client. Install GPMC on a client, if you also like to select typical WinXP builtin groups this way - if you should enter an unknown builtin group name for the computer you are running the GPMC on, the groupname will become just a name and therefore client OS language dependent.).

                      Then,
                      add "Members of this group"
                      Browse select Groups, "from this location": Entire Directory, DOMAIN.LOCAL
                      select the group: "Domain Admins" and for your question also the group: "Domain Users" (domainname\Domain Users).


                      \Rems

                      Kudos for this; excellent way of doing it which removes all uncertainty. Have some reps.
                      Here's ten characters to make the post long enough


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: Creating A Restricted Group

                        Thank you Tom.


                        additional info.
                        When you enter the "name" of a known builtin group to create a Restricted Group, the characteristic part of the SID of the object will be stored. So it does not matter if the group would have another name on any of the other Windows computers.

                        At our office we have Dutch and English clients, GPMC was installed just on a DC. For making the "Power Users" Group a Restricted Group I had to add a group for the English name and another group for its Dutch name to make it work. On a DC the Power Users Group is not available.
                        Then I installed GPMC on a Member server and was able to use the Browse button to select the Power Users group. Now, when I open GPMC on the DC the Well-known SID is showed, while on the Member server the name of the group is showed in the Restricted Groups pane. The Duch translated name I had to add before to the restricted groups was not needed anymore.


                        In my previous post,
                        I corrected the words: "unique SID"
                        to: "Well-known SID"

                        A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems. (yes, If the Administrator account would have been renamed, you're still able to find the object by a characteristic part of its SID and retrieve the name).


                        \Rems

                        This posting is provided "AS IS" with no warranties, and confers no rights.

                        __________________

                        ** Remember to give credit where credit's due **
                        and leave Reputation Points for meaningful posts

                        Comment


                        • #13
                          Re: Creating A Restricted Group

                          Thak u all for replyes but im a little bit confused.

                          When im creating new group in restricted groups, i white or chose what ? if i click browse i have only two choices, server and AD. I installed GPMC on one klient computer but i dont know why should i do that.

                          Comment


                          • #14
                            Re: Creating A Restricted Group

                            Originally posted by BlekotaCZ View Post
                            Thak u all for replyes but im a little bit confused.

                            When im creating new group in restricted groups, i white or chose what ? if i click browse i have only two choices, server and AD. I installed GPMC on one klient computer but i dont know why should i do that.
                            For your case, you want to add the Administrators group to become a restricted group for the computers in the OU, you can do that with GPMC on any server. It is not necessary to in install GPMC on a certain computer, since the the local group Administrators Object is known to every Windows computer.

                            Run GPMC as a member of the Domain Admins group.
                            Edit the GPO.
                            Go to the Restricted Groups policy
                            In the right pane of the window right-click and select "Add Group..."
                            Clik the "Browse.." button
                            At "Locations" select the computername.
                            At "enter the object names" enter: AdministratorS
                            [OK], [OK]

                            then, Add members, selected from the location: domainname.
                            add: domain admins (domainname\Domain Admins)
                            add: domain users (domainname\Domain Users)

                            This posting is provided "AS IS" with no warranties, and confers no rights.

                            __________________

                            ** Remember to give credit where credit's due **
                            and leave Reputation Points for meaningful posts

                            Comment


                            • #15
                              Re: Creating A Restricted Group

                              Originally posted by Rems View Post
                              For your case, you want to add the Administrators group to become a restricted group for the computers in the OU, you can do that with GPMC on any server. It is not necessary to in install GPMC on a certain computer, since the the local group Administrators Object is known to every Windows computer.

                              Run GPMC as a member of the Domain Admins group.
                              Edit the GPO.
                              Go to the Restricted Groups policy
                              In the right pane of the window right-click and select "Add Group..."
                              Clik the "Browse.." button
                              At "Locations" select the computername.
                              At "enter the object names" enter: AdministratorS
                              [OK], [OK]

                              then, Add members, selected from the location: domainname.
                              add: domain admins (domainname\Domain Admins)
                              add: domain users (domainname\Domain Users)

                              I did the following:
                              Run GPMC as Administrator on AD server
                              Edit GPO
                              Go to restricted group policy
                              Add group, bworse, select SERVER(as computername), type Administrators
                              OK
                              ADD member (domain\domain admins, domain\domain users)

                              gpupdate /force

                              reboot client machine, logon as user and nothing ...



                              UPDATE:
                              i have three GPO in my AD. Default domain controlers, default domain policy and domain users localadmin. Only in the last one i have setup restricted groups (on OU AdminCopumters. in this OU is halft of computers). If i logon user on computer whitch is not in that admincomputers OU, i have in local admins group DOMIAN\Domain Admins ... how is this possible ?


                              UPDATE2: computer whitch has that domain admins group in local admins. i move it from computers ou to admincomputers OU where is setuped restricted group and now i have in local admins group his user (S-1-5-6572.....)
                              Last edited by BlekotaCZ; 19th September 2008, 13:18.

                              Comment

                              Working...
                              X