Restricted Groups
-
Freitag, 8. Februar 2013 17:25
Hi
Is there anyway to undo a resitrcted groups GPO? So lets say there is a site wide GPO for a group thats been deployed. But in deploying it you have overwritten the membership to that local group and want to revert back - by disabling the GPO - will tht revert it back to the previous settings on the Computer when the GPO is applied as having teh Restricted Groups part deleted / empty?
J
Alle Antworten
-
Freitag, 8. Februar 2013 18:18
Yes, in fact, that is normal behavior for Restricted Groups--that once the policy is removed, the locally defined group memberships will be restored. That's not the case for all security settings but for RG, it does work that way.
Darren
Darren Mar-Elia MS-MVP, Group Policy
www.gpoguy.com
www.sdmsoftware.com - "The Group Policy Experts"- Als Antwort vorgeschlagen Brano Lukic Freitag, 8. Februar 2013 18:42
- Als Antwort markiert Cicely FengMicrosoft Contingent Staff, Moderator Dienstag, 19. Februar 2013 01:11
-
Freitag, 8. Februar 2013 19:37
hmmm ok - so if i go in to that GPO and remove ALL groups in the pane and wait for update....any manual groups out on my client machines will be reverted?
The reason why I am asking is that there are some groups that were missed during the assessment but now its been implemented we have no way of knowing what they were withoutg waiting for impact. With what you are saying, we remove all entries in the RG part of the GPO and let it self update out to all the clients across teh domain and it will revert back?......
Also - if we had set it up in error with blank members and that then removed the local groups from the admin groups - but removing the gpo for RG - will that revert back the groups and memberships to what it was before?
I guess what I am asking is how do we undo the application of RG - is it merely just removing the RG settings in the GPO
Oh and this is Windows 2003 domain with XP clients -
Freitag, 8. Februar 2013 19:45 The cleanest way to remove the RG settings is to simply unlink the GPO (assuming it doesn't contain other settings. If it does, then yes, then remove the group entries from the RG section). Then when the client next updates policy, it should revert back to any locally defined memberships. Obviously test to make sure things go as planned, but that is the *normal* behavior when removing RG.
DarrenDarren Mar-Elia MS-MVP, Group Policy
www.gpoguy.com
www.sdmsoftware.com - "The Group Policy Experts"- Als Antwort markiert Cicely FengMicrosoft Contingent Staff, Moderator Dienstag, 19. Februar 2013 01:11
-
Freitag, 8. Februar 2013 19:55
Yes it is in a domain policy with lots of other settings. Hence my only option is to remove the group entries
So how will the client machines remember the groups memberships from pre-application?
-
Freitag, 8. Februar 2013 20:06
My understanding (which I've not confirmed because it's kinda hard :-)) is that the local SAM caches those group memberships and essentially reverts them when RG policy is no longer applied. That is, frankly, the only mechanism that makes sense so I believe it.
Darren
Darren Mar-Elia MS-MVP, Group Policy
www.gpoguy.com
www.sdmsoftware.com - "The Group Policy Experts" -
Freitag, 8. Februar 2013 20:30hmmmm how can i test it...i guess i cant unless i go a generic test in a vm environment?
-
Freitag, 8. Februar 2013 21:39
Do you have an OU that you have control over? If so, create a single GPO, remove the Authenticated Users ACE, add just the machine account of a test machine to security filtering. Then, add your restricted groups policy to the GPO. Apply, remove then verify local membership.
Darren
Darren Mar-Elia MS-MVP, Group Policy
www.gpoguy.com
www.sdmsoftware.com - "The Group Policy Experts" -
Sonntag, 10. Februar 2013 14:30
Hi Darren
So I tried this within a test environment and as you suggested - they reverted back
Is there any situation where it wouldnt revert back?
Also - I assume that the group members will revert back on Workstations as well as Servers?
.png)
.png)
