"Restricted Groups" Local Admins Changes Users’ Desktops

Home Forums Microsoft Networking and Management Services GPO "Restricted Groups" Local Admins Changes Users’ Desktops

This topic contains 4 replies, has 5 voices, and was last updated by Avatar beddo 8 years, 11 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    Robert R.
    Participant
    #154385

    Last week, I got a request to add the group “PC Techs” to the local administrator groups for all the users on the specific department in a remote office.

    The remote office, “5th Floor,” has it’s own OU in Active Directory, with a child OU called “Comptuers”

    5th Floor
    |-Computers

    In the Computers OU, I created a GPO with the following setting

    Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Restricted Groups
    Group: BUILTINAdministrators
    Members: ADXSYSTLDPC Techs

    I am aware that this setting replaces all the local admins configured on each PC.

    However, I was not expecting the following message from one of the PC Techs in that office:

    Ok, I’ve gotten all sorts of complaints this AM on the 5th Floor. Gnarly armed by a 4’8” wisp of a woman wanting to know what happened to her IE favorites. Lots of complaints about DESKTOP icons going blank. By that I mean when you look at properties of a desktop shortcut, there’s no info there. Don’t know what’s caused this, but I’ll be working the problem till we get it figured out. Right now, it’s causing massive grief because nobody can remember file locations on the network drives/shares. Sigh, we’ll get it figured out. Call me on my cell if needed as I won’t be at my desk much until this is resolved.

    and

    I don’t know what happened, but MSFT decided to blow almost everyone out of the local admin group. We needed to hit all the machines on the 5th floor and read the following: domain admins; admin and the domain account for the local user. I THINK, but am not sure, but did Robert add admin to the local admin group for the Office ’07 roll out? If so, then MSFT just got plain weird. Don’t know why it happened, but everybody is back up and working.
    As usual, if you’ve got questions, I might have answers.

    These are the e-mails I got, so you know exactly what I know about the reported symptoms.

    After I removed the GPO, several test users rebooted their machines, and everything was back to normal.

    As you can guess, these users are local administrators on their PCs, so the GPO change would have removed them from that group. However, why would the users be reporting that their desktop icons, shortcuts, and network drive mappings stopped working?

    Avatar
    beddo
    Member
    #362538

    Re: "Restricted Groups" Local Admins Changes Users’ Desktops

    Maybe someone has mucked about with the permissions on the profiles? If the individual user accounts don’t have full access to the profiles but local admins do then losing the local admin rights will lose all sorts.

    Avatar
    Mudd
    Member
    #319645

    Re: "Restricted Groups" Local Admins Changes Users’ Desktops

    Robert R.;236777 wrote:
    After I removed the GPO, several test users rebooted their machines, and everything was back to normal.

    As you can guess, these users are local administrators on their PCs, so the GPO change would have removed them from that group. However, why would the users be reporting that their desktop icons, shortcuts, and network drive mappings stopped working?

    I would suggest the same thing Beddo suggested, look at the permissions. I too have similar problems here at work and it seems as though the previous admin tried to lock down the users so tightly, that when I did this same thing, some users couldn’t even do things any normal users can usually do. I worked around this by giving that user access to their entire profile and it seemed to have worked. I think by giving the “domain users” proper access to the Users directory may work as well.

    tehcamel
    tehcamel
    Moderator
    #357238

    Re: "Restricted Groups" Local Admins Changes Users’ Desktops

    what you did wrong with your GPO, from what I can see, is add “PCTechs” to the local admin group – so it would even remove the LOCAL Administrator account.

    You need to do it the other way – make sure that PCTechs is always a member of “BiultinAdmin”

    if that makes sense ?

    The GPO will ALWAYS overwrite any other entries in a group if you use restricted groups in that way. It’s designed to act that way.

    Rems
    Rems
    Moderator
    #227988

    Re: "Restricted Groups" Local Admins Changes Users’ Desktops

    Don’t give the restricted group the name: builtinadministrators , name it just: Administrators
    (see also this link for recommendations selecting the group names)

    If you use the “members” section of the Restricted Group
    Add the Members:
    ADXSYSTLDPC Techs
    ADXSYSTLDDomain Admins

    Notes
    – The group in Active Directory must have Global group scope (NOT Domain local).
    – Don’t forget to keep ADXSYSTLDDomain Admins a member (members not added in this policy will be out of the local group!).
    – It is not required to add Administrator because the GPO security extension ALWAYS adds local Administrator account to local Administrators group

    Similar thread: Restricted Groups Policy Isn’t Being Applied…

    /Rems

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.