Announcement

Collapse
No announcement yet.

"Restricted Groups" Local Admins Changes Users' Desktops

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • "Restricted Groups" Local Admins Changes Users' Desktops

    Last week, I got a request to add the group "PC Techs" to the local administrator groups for all the users on the specific department in a remote office.

    The remote office, "5th Floor," has it's own OU in Active Directory, with a child OU called "Comptuers"
    5th Floor
    |-Computers
    In the Computers OU, I created a GPO with the following setting
    Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Restricted Groups
    Group: BUILTIN\Administrators
    Members: ADXSYSTLD\PC Techs
    I am aware that this setting replaces all the local admins configured on each PC.

    However, I was not expecting the following message from one of the PC Techs in that office:
    Ok, I’ve gotten all sorts of complaints this AM on the 5th Floor. Gnarly armed by a 4’8” wisp of a woman wanting to know what happened to her IE favorites. Lots of complaints about DESKTOP icons going blank. By that I mean when you look at properties of a desktop shortcut, there’s no info there. Don’t know what’s caused this, but I’ll be working the problem till we get it figured out. Right now, it’s causing massive grief because nobody can remember file locations on the network drives/shares. Sigh, we’ll get it figured out. Call me on my cell if needed as I won’t be at my desk much until this is resolved.
    and
    I don’t know what happened, but MSFT decided to blow almost everyone out of the local admin group. We needed to hit all the machines on the 5th floor and read the following: domain admins; admin and the domain account for the local user. I THINK, but am not sure, but did Robert add admin to the local admin group for the Office ’07 roll out? If so, then MSFT just got plain weird. Don’t know why it happened, but everybody is back up and working.
    As usual, if you’ve got questions, I might have answers.
    These are the e-mails I got, so you know exactly what I know about the reported symptoms.

    After I removed the GPO, several test users rebooted their machines, and everything was back to normal.

    As you can guess, these users are local administrators on their PCs, so the GPO change would have removed them from that group. However, why would the users be reporting that their desktop icons, shortcuts, and network drive mappings stopped working?
    Last edited by Robert R.; 26th April 2011, 22:15.

  • #2
    Re: "Restricted Groups" Local Admins Changes Users' Desktops

    Maybe someone has mucked about with the permissions on the profiles? If the individual user accounts don't have full access to the profiles but local admins do then losing the local admin rights will lose all sorts.

    Comment


    • #3
      Re: "Restricted Groups" Local Admins Changes Users' Desktops

      Originally posted by Robert R. View Post
      After I removed the GPO, several test users rebooted their machines, and everything was back to normal.

      As you can guess, these users are local administrators on their PCs, so the GPO change would have removed them from that group. However, why would the users be reporting that their desktop icons, shortcuts, and network drive mappings stopped working?
      I would suggest the same thing Beddo suggested, look at the permissions. I too have similar problems here at work and it seems as though the previous admin tried to lock down the users so tightly, that when I did this same thing, some users couldn't even do things any normal users can usually do. I worked around this by giving that user access to their entire profile and it seemed to have worked. I think by giving the "domain users" proper access to the Users directory may work as well.

      Comment


      • #4
        Re: "Restricted Groups" Local Admins Changes Users' Desktops

        what you did wrong with your GPO, from what I can see, is add "PCTechs" to the local admin group - so it would even remove the LOCAL Administrator account.

        You need to do it the other way - make sure that PCTechs is always a member of "Biultin\Admin"

        if that makes sense ?

        The GPO will ALWAYS overwrite any other entries in a group if you use restricted groups in that way. It's designed to act that way.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: "Restricted Groups" Local Admins Changes Users' Desktops

          Don't give the restricted group the name: builtin\administrators , name it just: Administrators
          (see also this link for recommendations selecting the group names)


          If you use the "members" section of the Restricted Group
          Add the Members:
          ADXSYSTLD\PC Techs
          ADXSYSTLD\Domain Admins

          Notes
          - The group in Active Directory must have Global group scope (NOT Domain local).
          - Don't forget to keep ADXSYSTLD\Domain Admins a member (members not added in this policy will be out of the local group!).
          - It is not required to add Administrator because the GPO security extension ALWAYS adds local Administrator account to local Administrators group


          Similar thread: Restricted Groups Policy Isn't Being Applied...

          /Rems
          Last edited by Rems; 11th May 2011, 22:35.

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment

          Working...
          X