Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy for local users/groups not working

Status
Not open for further replies.
disturbedone

disturbedone

Vendor
Sep 28, 2006
781
AU
I have a W2K8R2 domain and ~800 XPSP3 desktops. There are numerous GPOs, one of which uses the Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups setting to add an AD group to the BUILTIN\Administrators local group. This works fine on XP but not W7.

After some Googling I found another way of doing it so I created a new GPO, put a W7 VM into a test OU and applied the GPO to it. This GPO uses the Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups/Group[ (Name: Administrators (built-in))/Administrators (built-in)(Order:1)/Local Group setting to do the same thing (Googling about it tells me this is a better way of doing it than Restraicted Groups) but this fails to apply to my W7 computer.

Group Policy Results wizard tells me the GPO was successfully applied. But if I edit the properties of the local Administrators group on the W7 machine it doesn't list the group that I added with the GPO.

Is there something different about W7 and how this GPO works?
 
Sort by date Sort by votes
UPDATE: I added another entry to the GPO that would create a new local group with a single member and this part of the GPO worked.

The initial part to do with the local admin group was as follows:

Code: 
[b]Action[/b]                         Update
[b]Properties[/b]
   Group Name                  Administrators (built-in)
   Rename to
   Description
   Delete all member users     Disabled
   Delete all member groups    Disabled
[b]Add Members[/b]
  DOMAIN\Domain Admins         S-1-5-21-4170326925-2383811997-614304044-8556
  DOMAIN\Support Staff         S-1-5-21-4170326925-2383811997-614304044-512
So it appears that it is a problem with the 'Update' action on the existing built-in local administrators group.

Further testing found if I add something to the 'Rename to' and 'Description' fields that it creates a new group and places the members in it.

If I change the action to 'Replace' it creates a new group called 'Administrators (built-in)' because the default group is just Administrators. I haven't yet tested to see if this actually works ie users in the group will have administrative rights. It just seems horribly confusing.

Anyone else tried to do this?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Deniall
  • Locked
  • Question
AutoHotKey for a very simple task 1
Replies
5
Views
487
Deniall
Deniall
pjw001
  • Locked
  • Question
Programs not loading on Windows 11 Version 22H2.
Replies
9
Views
699
pjw001
pjw001
VicM
  • Locked
  • Question
Change name not showing in user account 1
Replies
13
Views
648
guitarzan
guitarzan
Flinx
  • Locked
  • Question
Nero Burning ROM not seeing disk change 2
Replies
3
Views
404
gbaughma
gbaughma
TomSalvato
  • Locked
  • Question
Help with a DOS command that isn't working for me
Replies
7
Views
310
Professor Shadow
Professor Shadow

Part and Inventory Search

Sponsor

Back
Top