+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member
    Join Date
    Feb 2011
    Location
    Wisconsin
    Posts
    143

    Certifications
    A+
    #1

    Default Restricted Groups applying to specific global groups

    I'm missing something simple and it is driving me crazy.

    I have an OU that needs to have the managers all have local administrator access. Simple, I says. Create a GPO that adds the global group to the computers local administrators group, link it to the OU and then set security filtering to only apply for the managers security group. Nope. Tried creating a global group that contained all accounts that aren't in the managers group and denying them apply group policy in the Delegation tab for the group policy and nothing.

    What am I missing? Can this not be done?
    Reply With Quote Quote  

  2. SS -->
  3. Reticulating splines... iBrokeIT's Avatar
    Join Date
    Jul 2013
    Location
    Twin Cities, MN
    Posts
    1,045

    Certifications
    GCIH, GSEC, VCAP5-DCA, VCP5-DCV, MCITP:EA, MCSA 2003/08
    #2
    You are making this way too complicated.

    Create a new security group and add the users you want then apply permissions for that group.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Feb 2011
    Location
    Wisconsin
    Posts
    143

    Certifications
    A+
    #3
    Everyone in the Managers group will need to be members of the Local Administrators group on every computer they log on to and when they log off, standard Local Administrator group members apply (administrators, domain/domain admins). Sorry if that wasn't clear.

    I wish I was the one making this complicated because then it wouldn't be complicated.

    Thanks for the reply and sorry for the late response but things are absolutely crazy at work.
    Last edited by j-man; 11-14-2015 at 10:57 PM.
    Reply With Quote Quote  

  5. Command Line Warrior elTorito's Avatar
    Join Date
    May 2011
    Posts
    101

    Certifications
    A+, N+, MCTS 70-680, VCP5-DT, VCP-DCV, FCNSA, EMC E20-547
    #4
    The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.

    To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.

    Edit: I wouldn't recommend making anyone local administrator, especially not managers
    Last edited by elTorito; 11-24-2015 at 11:31 PM.
    Reply With Quote Quote  

  6. Woohoo! It's over 1000!
    Join Date
    Aug 2015
    Location
    Australia
    Posts
    1,683

    Certifications
    Linux+, ACSA, ACTC, ACSP, MCSA:7, MCTS, ITIL F, Prince2 Pract, AgilePM Practitioner, VCP-DCV 5/6, Storage+, CCNA R+S/Sec/CyberOps, Sec+, CEH, CASP
    #5
    Quote Originally Posted by elTorito View Post
    Edit: I wouldn't recommend making anyone local administrator, especially not managers
    I second that. Also what you said about actually achieving a solution. But mostly, the bit about restricting local administrator access tightly.
    2017 Goals - Something Cisco, Something Linux, Agile PM
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Feb 2011
    Location
    Wisconsin
    Posts
    143

    Certifications
    A+
    #6
    Thank you gentlemen. Again, sorry to be late with a reply.

    The situation has been worked out. I don't know why this was such an issue and made to be more complicated than it needed to be in the first place but that is what happens sometimes.

    Onward and upward (I guess)
    Reply With Quote Quote  

  8. Senior Member nachodba's Avatar
    Join Date
    Sep 2014
    Location
    Fairfax, VA
    Posts
    188

    Certifications
    MCSE: Servers, Sec +, MCITP:DBA 2008, MCSA SQL Server 2012/2014
    #7
    Quote Originally Posted by elTorito View Post
    The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.

    To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.
    This x 100.
    2017 Goals - MCSA SQL 2016 Database Administration, MCSA Windows Server 2016
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks