Restricted groups not applying to local administrator group Server 2008.


  • Hi

    I am busy learning for MCTS Exam and stuck on why my restricted policy is not working, it drives me nuts lol.

    Two machines a server AD DS 2008 R2 standard and a client server 2008 R2 standard.

    Basically I create a gpo with restricted group called help desk and say this group is member of administrators and apply it to a OU in group policy management which is where the computer object is located.
    I then login to the other server 2008 with domain admin account and open the local users and groups mmc and in groups I click on administrators to open it but my help desk isn't listed.  SCREENSHOT

    I even tried Members of this group setting and still doesnt work I know this will be a simple solution for system admins on this site haha.I am uploading the event log as well.

    Thursday, February 18, 2016 1:32 PM

All replies

  • > I then login to the other server 2008 with domain admin account and open
    Did you reboot this server prior to checking the administrators group?
    in addition: start gpmc on this server, then create a GP results report
    and examine if your GPO is applied at all :()
    Thursday, February 18, 2016 3:09 PM
  • Hi, it seems to be applied correctly.

    This is the new screenshot of local admin group after adding help - desk to This group is a member of:

    ok next pic :

    NNext screenshot:

    next screenshot:

    Right now if I remove the current restricted group (screenshot 2) and create a new group name called administrators (instead of contoso\help desk in screenshot2) and then in Members of this group section I add help desk then in local policy only administrator is visible as in the first screenshot from my original post.

    Its strange that it doesn't show administrator and then underneath contoso\help-desk like it probabaly should be like this next picture:

    Thursday, February 18, 2016 9:57 PM
  • The only error I could seem to find in winlogon.txt:

    Process GP template gpt00001.inf.
    02/18/2016 21:32:24
    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...

    ----Configure User Rights...
        Configure S-1-5-21-3449895546-2407855676-543488047-513.
        Configure S-1-5-32-544.

        User Rights configuration was completed successfully.

    ----Configure Group Membership...
        Configure Administrators.
            remove SID: S-1-5-21-3449895546-2407855676-543488047-512.
            remove SID: S-1-5-21-3449895546-2407855676-543488047-1125.
            Undo value for undefined group policy setting <*S-1-5-32-544__Members> was reset successfully and removed.
        Configure *s-1-5-21-3449895546-2407855676-543488047-1125.
    Error 1332: No mapping between account names and security IDs was done.
         No system mapping was found for *s-1-5-21-3449895546-2407855676-543488047-1125.

        Group Membership configuration was completed successfully.
    Thursday, February 18, 2016 10:03 PM
  • >      Configure *s-1-5-21-3449895546-2407855676-543488047-1125.
    > *Error 1332: No mapping between account names and security IDs was done.*
    This in turn is the reason that
    a) the group membership is not updated
    b) in the HTML report, it reports a SID only and not a friendly name
    Never seen that - did you enable "always wait for the network at startup
    and logon"?
    Friday, February 19, 2016 10:05 AM
  • I have that option active but even disabling it it didn't help .

    I found a solution though first I tried rejoin the computer to the network changed it back to Workkgroup and then back to domain but that didnt help.

    What did help was

    The post from corp-su:

    "Hi all,

    I've found the reason for the problem i posted on March, 26th. And therefore found the solution!

    One detail I posted that day was incorrect:

    • Details of my set up are:   3 separate installations from ISO of Windows Server 2008 R2 x64 Std (SP1) + all current patches ....

    Instead the three machines were all imports of a clean Windows from the same OVF.
    That resulted in the three machines having the same GUID for any user with the same name!

    Hence the solution for me was the following line:

    C:\Windows\System32\sysprep\> sysprep.exe /oobe /generalize /shutdown

    Nevertheless, thanks for any assistance of you guys!


    It seems that since im using virtual box lab enviroment and I used a snapshot of the current DC to recreate another server my guid was probabaly the fault or maybe a corrupt file somewhere this will teach me to do full reinstal next time lol.

    So many thanks to you for trying to help me, all the best.

    • Edited by fabking Friday, February 19, 2016 11:18 PM
    Friday, February 19, 2016 11:17 PM
  • Hi,

    Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.

    Best Regards,


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Monday, February 22, 2016 8:46 AM
  • > AD tools. Therefore, we do not plan currently to add or support using
    > Restricted Groups as a way to manage Domain Groups.
    No, Jay.
    a) Restricted groups are a well suitable means to populate local groups
    on clients with members of the domain - groups or users.
    b) if linked to the domain, restricted groups can even be used to manage
    domain groups - although I'd _never_ recommend to do so. Things can go
    severely wrong if mistakes are made...
    Monday, February 22, 2016 10:15 AM