none
Restricted Group issue on Win7 / Server 2008R2 AD .. odd one

    Question

  • Have created a GPO that restricts the Administrators Group, linked it to an OU. GPO is enabled, enforced and at the bottom of the list of group policies.

    If I add a user to a restricted group on the local machine and reboot, reboot often, wait hours, the user remains in the restricted group. HOWEVER if I do GPUPDATE /FORCE the account is removed immediately.  I cant see that there would be something wrong with the GPO if forcing it to run works.. 

    Any thoughts? 

    Monday, September 26, 2016 7:27 PM

Answers

  • Am 26.09.2016 um 21:27 schrieb Sam Booka:
    > Have created a GPO that restricts the Administrators Group, linked it
    > to an OU. GPO is enabled, enforced and at the bottom of the list of
    > group policies.
     
    It´s like the olympic games: The winner is on place 1.
    So, in fact, the GPO on the bottom is the first one to run, but the
    concept is "last writer wins". The GPMC shows the winner on TOP.
     
    If you place it on top, there is no need to enforce it.
     
    > If I add a user to a restricted group on the local machine and
    > reboot, reboot often, wait hours, the user remains in the restricted
    > group. HOWEVER if I do GPUPDATE /FORCE the account is removed
    > immediately.
     
    This is the expected behavior.
    The GPO has a version and is only applied if the version changes.
    You change the machine, but not the version of the GP, everything stays
    like it is on the machine. The history of the machine GP process tells
    that all rules are applied perfectly.
     
    Wh does "force" change it? take a look at gpupdate /? what "force"
    really does ... it ignores the version.
     
    In fact of the GP Client Side Extension Security, Microsoft defined a
    maximum of 16 hours to reapply security settings. Which is a "force"
    only on that specific DLL.
     
    Your rule will be applied usually once a day.
     
    To get your rules appllied faster by every reboot and every gp process,
    move your  rules to GPP Local Users and Groups, do not use Restricted
    groups.
     
    GPPs runs usually every time with every GP Process.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Proposed as answer by Todd Heron Tuesday, September 27, 2016 12:15 AM
    • Marked as answer by Jay GuModerator Tuesday, October 11, 2016 1:43 AM
    Monday, September 26, 2016 9:22 PM

All replies

  • Am 26.09.2016 um 21:27 schrieb Sam Booka:
    > Have created a GPO that restricts the Administrators Group, linked it
    > to an OU. GPO is enabled, enforced and at the bottom of the list of
    > group policies.
     
    It´s like the olympic games: The winner is on place 1.
    So, in fact, the GPO on the bottom is the first one to run, but the
    concept is "last writer wins". The GPMC shows the winner on TOP.
     
    If you place it on top, there is no need to enforce it.
     
    > If I add a user to a restricted group on the local machine and
    > reboot, reboot often, wait hours, the user remains in the restricted
    > group. HOWEVER if I do GPUPDATE /FORCE the account is removed
    > immediately.
     
    This is the expected behavior.
    The GPO has a version and is only applied if the version changes.
    You change the machine, but not the version of the GP, everything stays
    like it is on the machine. The history of the machine GP process tells
    that all rules are applied perfectly.
     
    Wh does "force" change it? take a look at gpupdate /? what "force"
    really does ... it ignores the version.
     
    In fact of the GP Client Side Extension Security, Microsoft defined a
    maximum of 16 hours to reapply security settings. Which is a "force"
    only on that specific DLL.
     
    Your rule will be applied usually once a day.
     
    To get your rules appllied faster by every reboot and every gp process,
    move your  rules to GPP Local Users and Groups, do not use Restricted
    groups.
     
    GPPs runs usually every time with every GP Process.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Proposed as answer by Todd Heron Tuesday, September 27, 2016 12:15 AM
    • Marked as answer by Jay GuModerator Tuesday, October 11, 2016 1:43 AM
    Monday, September 26, 2016 9:22 PM
  • Hi Sam,

    For restricted group policy, if a Restricted Groups Group Policy is used for the local group members, then the user can be added as member of the group, and automatically removed after the re-apply of the group policy.

    Here is an article below about restricted group for your reference.

    Active Directory Group Policy Restricted Groups

    http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, September 27, 2016 5:12 AM
    Moderator