Announcement

Collapse
No announcement yet.

Restricted Groups Policy Isn't Being Applied...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricted Groups Policy Isn't Being Applied...

    Yes, sorry, this is another post about Restricted Groups and Group Policy. I read all the other posts related to Restricted Groups (and various sites on the Internet) but still no success. I think that I am going mad. All that I want to do is grant domain users administrative privilages on their local machines. Should be an easy task, right? Then why can't I get it to work! Here is what I've done so far:

    - Joined test client TEST01 (Windows 2000 Pro) to test domain TEST (Windows 2003 R2).
    - Created two new OUs COMPOU and USEROU
    - Added the client computer TEST01 to COMPOU
    - Created a new user called USER01
    - Created a new global security group in USEROU called ADMINGROUP
    - Added the user USER01 to group ADMINGROUP
    - Added a new group policy called COMPPOLICY linked to COMPOU
    - Created a new restricted group called Administrators in the Restricted Groups node in COMPPOLICY
    - Added TEST/ADMINGROUP and TEST/Domain Admins as members of the Administrators Restricted Group
    - Update GPOs with gpupdate /force (I've also tried rebooting the client)
    - Log into TEST01 with the USER01 user account
    - Try to install software--fail.
    - Peek into the local Administrators group for TEST01: members are Administrator and TEST/Domain Admins

    The restricted groups group policy does not seem to be applying to the client. Are any of the steps above wrong? Is it a Windows 2000 Pro thing? Something else?

  • #2
    Re: Restricted Groups Policy Isn't Being Applied...

    Originally posted by grittyminder View Post
    Should be an easy task, right?
    Until they screw something up

    I'm assuming you've already checked that Windows 2000 supports using restricted groups. Edit: Checked, and it does.

    Minor and unlikely to make a difference, but try specifying the names as domain\name rather than domain/name. Can't hurt to try, just to eliminate that.

    Reboot the client several times (at least 3 - known quirk with some aspects of GP) and then run gpupdate on the client. Does it show that your policy is being applied? Blocked? Does it show up in the list at all?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Restricted Groups Policy Isn't Being Applied...

      Minor and unlikely to make a difference, but try specifying the names as domain\name rather than domain/name. Can't hurt to try, just to eliminate that.
      Whoops, I mistyped. I actually meant to enter domain\name. That pesky backslash is too far for my lazy fingers to reach.

      I actually have only tried rebooting once. The reason being, the Windows 2000 test client is very, very old and logging into the domain seems to take an eternity (actually around 10 minutes). I'm going to try rebooting three times and we'll see how it goes...

      Comment


      • #4
        Re: Restricted Groups Policy Isn't Being Applied...

        Rebooting didn't seem to work. It's waaay too late at night. I'm going to give this another try tomorrow.

        Comment


        • #5
          Re: Restricted Groups Policy Isn't Being Applied...

          Ok. Check the results of gpresult tomorrow.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Restricted Groups Policy Isn't Being Applied...

            Have your 2000 clients been updated to SP4 at all?

            http://support.microsoft.com/kb/810076
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Restricted Groups Policy Isn't Being Applied...

              Good point, I wasn't aware that it required SP4.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Restricted Groups Policy Isn't Being Applied...

                Once groups are added at the Restricted Groups right hand pane, membership may be configured for each group by right-clicking the appropriate group, and then clicking Security.
                In the Security dialog box there are 2 list boxes, "Members of group name" and "group name is a member of", where group name is the appropriate group name.

                Membership is enforced as:
                1. Members of group name
                  Membership Is Strictly Enforced:
                  • For the restricted group, any user or group that is included in that restricted group's member list is added to the group.
                  • Any user or group that is currently a member of the group, but is not listed in the restricted group's member list is removed.
                  .
                2. group name Is a Member of
                  Only inclusion is enforced in this case. The restricted group is not removed from other groups based on the items in this list.
                  In versions of Microsoft Windows earlier than Microsoft Windows 2000 Service Pack 4 (SP4), the Restricted Groups Member of security setting in Group Policy cannot be used to add domain groups to local groups on member computers.

                (http://support.microsoft.com/kb/228496)


                Can you confirm that you have added the 'TEST\ADMINGROUP' and 'TEST\Domain Admins' as members of the Administrators Restricted Group by using the Member section and not the MemberOf section that is below.

                And, it has some benefits to use the Browse option to select object names http://forums.petri.com/showpost.php...62&postcount=9 rather than typing the names.


                Now, lets check the results of gpresult.


                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Restricted Groups Policy Isn't Being Applied...

                  Have your 2000 clients been updated to SP4 at all?
                  Good call. Yes, the client is SP4 and entirely up to date patch-wise.

                  Ok. Check the results of gpresult tomorrow.
                  Awesome, I didn't know about gpresult. I just ran it on the client and got what might be unusual result (I'm not entirely sure how to interpret it). Firstly, none (i.e. zero) of the policies from the domain controller were applied to the client. Secondly, and this is the unusual part, according to the gpresult output, group policy was last applied yesterday at about 7:30PM from a domain controller in a domain that doesn't exist. Well, the domain did exist at one time, but now it does not (the test client was a member of the domain a year or so ago). BTW, the last time I tried to apply group policy yesterday was at 9:30PM, not 7:30PM. And in case anybody asks, yes, the client is currently a member of the domain TEST--there is no mistaking this fact--and the client time is accurate (same as the domain controller).

                  I tried gpupdate /force today and checked gpresult for the client again. It still shows that the last time group policy was updated was yesterday at 7:30PM. I'm not sure what to make of this, could be a red herring. Anyhow, I haven't tried any of rems suggestions yet and will now do that...

                  Comment


                  • #10
                    Re: Restricted Groups Policy Isn't Being Applied...

                    Augh... I found the problem. There was something I neglected to mention to you all that is very important--there is a firewall between the client and the domain controller. I didn't mention this before because I properly checked the firewall logs before my first post and I *swear* that I didn't observe any dropped packets (I must admit that I was fairly tired at the time though). Well, guess what I found in the firewall logs today...?

                    I initially opened up TCP ports 53, 88, and 445, and UDP ports 53, 88, 389, and 445 and everything seemed to work fine (I was able to join clients to the domain and perform user authentication). However, it seems that for in order to apply policy settings additional ports must be opened. Specifically, when I opened up TCP ports 135, 389, and 104:65535 (yes, that is a helluva lot of ports) I was finally able to apply the group policies toward the client. Yes! Now I can go home Thank you all for your help.

                    Comment


                    • #11
                      Re: Restricted Groups Policy Isn't Being Applied...

                      *blinks* any particular reason for having a firewall between internal network segments?
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Restricted Groups Policy Isn't Being Applied...

                        Ha ha... yeah, while I was experimenting with group policy, I was also experimenting with and having a firewall between the active directory client and the domain controller (in a test environment of course) to see how much of a bother it would be. And, yes, it is a bother. Not doing that again.

                        Comment

                        Working...
                        X