none
Adding users in Local Administrators Group using GP Restricted Group

    Question

  • Hi Experts.

    I have approx 200 servers. There are user1, user2 and user3 which I have added in Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local Administrators member.

    Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.

    In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.

    Any idea?



    Regards Suman B. Singh

    Monday, January 12, 2015 9:40 AM

Answers

  • > In Add Group option I added "Administrator" and Added user4 in "Members
    > of this Group". BUT it doesn't work.
     
    "Members of this group" is exclusive - last writer wins...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 12, 2015 1:04 PM
  • Hi,

    How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group; and then we can use Security Filtering to apply the specific GPOs to specific computers.

    Regarding security filtering, the following article can be referred to for more information.

    Security filtering using GPMC

    https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx

    Filter Using Security Groups

    https://technet.microsoft.com/en-us/library/cc752992.aspx

    Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific computers.

    Regarding GPP Local Users and Groups, the following article can be referred to for more information.

    Configure a Local Group Item

    https://technet.microsoft.com/en-us/library/cc732525.aspx

    How to use Group Policy Preferences to Secure Local Administrator Groups

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

    Regarding Item-Level Targeting, the following article can be referred to for more information.

    Preference Item-Level Targeting

    https://msdn.microsoft.com/en-us/library/cc733022.aspx

    Best regards,

    Frank Shen


    Monday, January 26, 2015 6:06 AM
    Moderator
  • > on Parent OU (Asia) 4. Policy "Asia Lockdown" is enforced on Parent OU.
     
    No need to enforce it.
     
    > A restricted group GP is configured to add few users in Local
    > administrators groups in all computers lying in all Four OUs. This
     
    Through "member of" or "has members"? The second one ensures only the
    specified members are in a group - no others. The first allows to add
    members but leaves existing ones.
     
    So usually, we use "has members" at the top level (Asia).
     
    > of other users to local admin group BUT not in all conputers in Four
     
    Then we use a second GPO with a security filter for a group that
    contains our "not all computers". This GPO uses "member of".
     
    Done we are :)
     
    > to give Access to some users. Noticable things 1. As parent GP is
    > enforced so its difficult to make changes in child OU.
     
    Why? Did you delegate GP administration for child OUs?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 26, 2015 11:24 AM

All replies

  • > In Add Group option I added "Administrator" and Added user4 in "Members
    > of this Group". BUT it doesn't work.
     
    "Members of this group" is exclusive - last writer wins...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 12, 2015 1:04 PM
  • Hi,

    How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group; and then we can use Security Filtering to apply the specific GPOs to specific computers.

    Regarding security filtering, the following article can be referred to for more information.

    Security filtering using GPMC

    https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx

    Filter Using Security Groups

    https://technet.microsoft.com/en-us/library/cc752992.aspx

    Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific computers.

    Regarding GPP Local Users and Groups, the following article can be referred to for more information.

    Configure a Local Group Item

    https://technet.microsoft.com/en-us/library/cc732525.aspx

    How to use Group Policy Preferences to Secure Local Administrator Groups

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

    Regarding Item-Level Targeting, the following article can be referred to for more information.

    Preference Item-Level Targeting

    https://msdn.microsoft.com/en-us/library/cc733022.aspx

    Best regards,

    Frank Shen


    Monday, January 26, 2015 6:06 AM
    Moderator
  • Thanks everyone for views and support. My apologise if i was not able to express my problem. Here. I again write my problem. Some new challanges were identified in live. Scenario 1. There is a parent OU. Lets say "Asia" 2. Four additional OUs are created inside parent OU. Every OU has its corresponding Computers. 3. A GP called "Asia Lockdown" is applied on Parent OU (Asia) 4. Policy "Asia Lockdown" is enforced on Parent OU. A restricted group GP is configured to add few users in Local administrators groups in all computers lying in all Four OUs. This policy is engorced and it adds desired users to local admin group in all OUs. Requirement : Now there is one additional requirement to add couple of other users to local admin group BUT not in all conputers in Four OUs. If we modify "Asia Lockdown" and add required users to Restricted Group then users will get added in all computers lying in Four OUs (this is what I don't want) Every OU has some Support computers where we want to give Access to some users. Noticable things 1. As parent GP is enforced so its difficult to make changes in child OU. 2. If GP is enforced then Disabling Inheritance will not work. 3. If parent GP is configured to add certain users and we try to add other users in Restricted Group in new GP for Child OU then it could lead to GP clash. Any idea to achieve above mentioned requirement?

    Thanks Cloudy Lynx


    • Edited by Cloudy Lynx Monday, January 26, 2015 6:39 AM
    Monday, January 26, 2015 6:37 AM
  • > on Parent OU (Asia) 4. Policy "Asia Lockdown" is enforced on Parent OU.
     
    No need to enforce it.
     
    > A restricted group GP is configured to add few users in Local
    > administrators groups in all computers lying in all Four OUs. This
     
    Through "member of" or "has members"? The second one ensures only the
    specified members are in a group - no others. The first allows to add
    members but leaves existing ones.
     
    So usually, we use "has members" at the top level (Asia).
     
    > of other users to local admin group BUT not in all conputers in Four
     
    Then we use a second GPO with a security filter for a group that
    contains our "not all computers". This GPO uses "member of".
     
    Done we are :)
     
    > to give Access to some users. Noticable things 1. As parent GP is
    > enforced so its difficult to make changes in child OU.
     
    Why? Did you delegate GP administration for child OUs?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 26, 2015 11:24 AM
  • Thanks everyone. I was able to add one additional group in desired computers successfully. Appreciated your help.

    Thanks Cloudy Lynx

    Tuesday, January 27, 2015 8:20 AM