none
Restricted groups - how to add a member in a lower down GPO

    Question

  • Hi,

    We use restricted groups to set administrator group membership at top level OUs. Lower down we recreate the restricted group membership properties and add individual groups for sub OUs and servers.

    The problem with this is:

    1. We have to copy restricted group members from top level GPOs applied at the OU level.

    2. If we change the top level OU GPO restricted group members we must change the sub GPOs restricted group members to match - this is a pain to manage.

    Is there a way to only ADD administrators to the local administrators group without impacting on higher up GPOs? I've tried using the "member of" restricted group property, but from my testing this doesn't work.


    IT Support/Everything

    Saturday, January 14, 2017 8:30 PM

Answers

  • Hi Aetius,<o:p></o:p>

    the Restricted Group works fine. I'm the same scenario where at top level I define the general administrators and at lower levels more administrators for specific tasks. A that time, i have found a problem in the way i put the account name in the policy: when you add someone write only a few letters and after validate it with the button "check name", so the system complete all and underline it.<o:p></o:p>

    Below i report my top gpo and one at lower level.<o:p></o:p>

    nbsp;http://i.imgsafe.org/bc93e8c188.jpg

    At lower level where I add a group to the administrators: http://i.imgsafe.org/bca1004344.jpg

    I hope this might help you.

    RS

    • Marked as answer by Aetius2012 Monday, January 16, 2017 8:34 PM
    Sunday, January 15, 2017 7:17 PM

All replies


  • You need create two GPO : one at top level and another at lower level. The last one, for the policy sequence, overwrite the first. NO link the same GPO to two OU where you want differents things.

    So you can add/remove different groups to the local administrators without problem on the OU-tree.


    Saturday, January 14, 2017 8:53 PM
  • Hi Roberto,

     Have you tried this? I've created a higher level GPO with restricted groups using "members" and then used "member Of" property on a sub OU/sub GPO.

     The restricted group member of doesn't add an account to the local administrators - the net result is the higher members GPO groups didn't apply and nor does the lower down GPO - i.e. the administrators group doesn't add the intended account. Using group policy preferences on the lower down GPO doesn't allow me to add an administrator whilst leaving the restricted group members property in place.

    Not sure if what I want to achieve is possible...


    IT Support/Everything

    • Marked as answer by Aetius2012 Monday, January 16, 2017 8:33 PM
    • Unmarked as answer by Aetius2012 Monday, January 16, 2017 8:33 PM
    Sunday, January 15, 2017 4:24 PM
  • Hi Aetius,<o:p></o:p>

    the Restricted Group works fine. I'm the same scenario where at top level I define the general administrators and at lower levels more administrators for specific tasks. A that time, i have found a problem in the way i put the account name in the policy: when you add someone write only a few letters and after validate it with the button "check name", so the system complete all and underline it.<o:p></o:p>

    Below i report my top gpo and one at lower level.<o:p></o:p>

    Top:<o:p></o:p>


    Sunday, January 15, 2017 7:13 PM
  • Hi Aetius,<o:p></o:p>

    the Restricted Group works fine. I'm the same scenario where at top level I define the general administrators and at lower levels more administrators for specific tasks. A that time, i have found a problem in the way i put the account name in the policy: when you add someone write only a few letters and after validate it with the button "check name", so the system complete all and underline it.<o:p></o:p>

    Below i report my top gpo and one at lower level.<o:p></o:p>

    nbsp;http://i.imgsafe.org/bc93e8c188.jpg

    At lower level where I add a group to the administrators: http://i.imgsafe.org/bca1004344.jpg

    I hope this might help you.

    RS

    • Marked as answer by Aetius2012 Monday, January 16, 2017 8:34 PM
    Sunday, January 15, 2017 7:17 PM
  • Thanks Roberto - that worked :-)

    IT Support/Everything

    Monday, January 16, 2017 8:34 PM