Announcement

Collapse
No announcement yet.

Restricted Groups Scope

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricted Groups Scope

    I've added an OU under MyBusiness -> SBSComputers called 'Windows Standard' with 'Computers' and 'Users' OUs under that. I did this so I could add restricted groups restrictions to a few test users. I've only put in 3 users/computers under this OU and applied the restricted groups GPO to the 'Windows Standard' OU. It seems to be working in that it takes the local admin account away if they are in that group and if I add them back into the default SBSComputers and SBSUsers it goes back to the way it was. However, I've noticed other users that were never moved from the default SBSComputers are losing their local admin privileges. It's not everyone, just some people. It does not seem like the GPO is being applied when I look at RSOP on their PC. Any ideas what might be going on? I've got three users that have lost privileges since I added this test OU and, of course, one of them is the General Manager.

  • #2
    Re: Restricted Groups Scope

    Can you say that again a bit slower as I can't make head or tail of it...
    A couple of screenshots would probably help
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Restricted Groups Scope

      I guess the simplified question would be this: What would cause a user account to be suddenly removed from the Administrators Group if its not a restricted groups GPO causing it? I've checked RSOP on this machine and there is no indication that the restricted groups gpo is being applied, yet it is behaving as if it has. It also seems a little too suspect since I just added a test OU where I applied the restricted groups GPO. The users/computers in question are not in this test OU though. Does that make sense?

      Comment


      • #4
        Re: Restricted Groups Scope

        Here's a look at where the GPO is. The restricted groups gpo is in 'RemoveLocalAdmin' which is under the 'Windows Standard' OU. The computers in question that are losing their admin privileges are in the SBSComputers and SBSUsers OU which I wouldn't think this gpo would touch.
        Attached Files

        Comment


        • #5
          Re: Restricted Groups Scope

          It won't.

          What does a client that is losing this show when you do a RSOP??

          have you linked the GPO anywhere else at any point??

          Comment


          • #6
            Re: Restricted Groups Scope

            Originally posted by wullieb1 View Post
            It won't.

            What does a client that is losing this show when you do a RSOP??

            have you linked the GPO anywhere else at any point??
            It does not show the restricted groups policy being applied on the PCs that are losing local admin privileges. The computers that I want the policy to apply to do show the restricted groups policy being applied in RSOP. This is all logical of course. I suppose it has to be a coincidence that it happened right after I applied this test GPO. I did an SBS 2003 to 2011 migration that completed a couple weeks ago but I wouldn't have thought it would have anything to do with that either.

            The GPO is not linked anywhere else. If it's not the GPO doing it, what else would do that? I tried adding the user back to the list of local admins and it brought it back to normal but, after doing a gpupdate /force and a logoff, it went back to losing its privileges. I'm perplexed.

            Comment

            Working...
            X