none
Restricting Local Administrators Group Membership using Group Policy Preference not working ?

    Question

  • People,

    I need some help regarding Restricting Users Group Membership using Group Policy Preference.

    I have set the Group Policy as below:

    But somehow, only the below is applied:

    PRODFS1-VM server Local Administrators group:
    Administrator
    MyDOMAIN\Local Administrators on PRODFS1-VM

    PRODFS2-VM server Local Administrators group:
    Administrator
    MyDOMAIN\
    Local Administrators on PRODFS2-VM

    ...

    But there is no standard/default important Local administrator group like:

    BuiltIn\Administrator
    MyDOMAIN\Domain Admins

    in all of the servers affected by the GPO ?

    Thanks in advance.


    /* Server Support Specialist */

    Monday, June 20, 2016 11:52 PM

Answers

All replies

  • Hi,

    Thanks for your post.

    But there is no standard/default important Local administrator group like:

    BuiltIn\Administrator

    MyDOMAIN\Domain Admins

    >>>Is there no Built in\administrator and MyDomain\domain admins in local administrator group?

    It seems that the group policy has been applied successfully from GPresult.

    I suggest you check if the two groups   are member of local administrator on the server which has applies the policy.

    in all of the servers affected by the GPO ?

    >>>If you configure the setting on GPO which link to common OU, only those computers are member of the OU will be affected.

    If you configure the setting on Default Domain Policy, all computers on the domain will be affected.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 21, 2016 2:22 AM
    Moderator
  • Jay,

    Thanks for the reply.

    It's very strange... because when I execute the command" gpupdate /force in all servers that I wanted to test,

    The membership of the local administrator group are:

    Administrator
    MyDOMAIN\Administrators


    /* Server Support Specialist */

    Tuesday, June 21, 2016 3:02 AM
  • > But there is no standard/default important Local administrator group like:
    >
    > */BuiltIn\Administrator/*    
    > */MyDOMAIN\Domain Admins/*
     
    Adding Builtin\Administrator will fail because this account already and
    always is a member of Administrators. And this failure will cause this
    item to NOT process the second entry.
     
    Tuesday, June 21, 2016 10:09 AM
  • > But there is no standard/default important Local administrator group like:
    >
    > */BuiltIn\Administrator/*    
    > */MyDOMAIN\Domain Admins/*
     
    Adding Builtin\Administrator will fail because this account already and
    always is a member of Administrators. And this failure will cause this
    item to NOT process the second entry.
     

    Martin,

    Thanks for the reply.

    But yes, I need to prevent the addition or changes of the Local admin group member, hence I created that way.

    I have removed the BUILTIN\Administrator from the Group Policy Preference. I will test it hopefully it works.


    /* Server Support Specialist */



    Tuesday, June 21, 2016 10:29 AM
  • Hi,

    I suggest you try to add domain name\domain admins to local administrators group with %domainname%\domain admins.

    For detailed information, you could refer to the article below.

    How to use Group Policy Preferences to Secure Local Administrator Groups

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, June 22, 2016 1:54 AM
    Moderator