This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Learn More

Remove From My Forums

will disabling restricted groups remove permissions.. urgent plz

Question
0

Sign in to vote

I just added in a user to the local admins on a new restricted group. Turns out i made a type and put it on the wrong gpo and it hit half the machines in the enterprise.

I just disabled the gpo. Will all of the local admins on all the servers be blank? Or will they revert to what they were before i enabled the policy?

Tuesday, July 8, 2008 8:06 PM

Answers

0

Sign in to vote
Hi,

If you disable the GPO, the corresponding settings for restricted groups will be reverted to the original state. After doing so, if you want to take it affect immediately, please run 'gpupdate /force' on every client to flush GP.

More information:

============

When you disable GPO, CSE(client side extension) will detect this change and invoke the related functions to reflect this change. Also, you can check security CSE properties that control each CSE behavior under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\827D319E-6EAC-11D2-A4EA-00C04F79F83A

It shows security related policies process during background, slow link, computer startup.

Hope this helps.

Best wishes

--------------
Morgan Che
- Marked as answer by Morgan Che [MSFT] Thursday, July 10, 2008 11:15 AM
- Marked as answer by Morgan Che [MSFT] Thursday, July 10, 2008 11:15 AM
- Marked as answer by Morgan Che [MSFT] Thursday, July 10, 2008 11:15 AM
Wednesday, July 9, 2008 7:54 AM

All replies

0

Sign in to vote
Hi,

If you disable the GPO, the corresponding settings for restricted groups will be reverted to the original state. After doing so, if you want to take it affect immediately, please run 'gpupdate /force' on every client to flush GP.

More information:

============

When you disable GPO, CSE(client side extension) will detect this change and invoke the related functions to reflect this change. Also, you can check security CSE properties that control each CSE behavior under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\827D319E-6EAC-11D2-A4EA-00C04F79F83A

It shows security related policies process during background, slow link, computer startup.

Hope this helps.

Best wishes

--------------
Morgan Che
- Marked as answer by Morgan Che [MSFT] Thursday, July 10, 2008 11:15 AM
- Marked as answer by Morgan Che [MSFT] Thursday, July 10, 2008 11:15 AM
- Marked as answer by Morgan Che [MSFT] Thursday, July 10, 2008 11:15 AM
Wednesday, July 9, 2008 7:54 AM
0

Sign in to vote

thank you microsoft for having that security feature built in.. whewwwwww. I probably woulda gotten fired for this.

Yea about 2 hours after we found out about it, we noticed that the accounts started to change back. We were puzzled because we thought that somebody else in the enterprise was working on it and fixing it,, but no it was fixing itself

thanks for the reply

Wednesday, July 9, 2008 12:22 PM