none
Restricted Groups problem - modifying too broadly

    Question

  • Hello,

    I have a problem with Restricted Groups GPO setting. I have created a GPO setting for an OU of computers in the domain. Even though I understood from several posts that if I define the GPO in the "This group is a member of" setting, this would add the group, this does not happen - the other users have been wiped and only the group added. OK, I can manage this and is not such a problem.

    Here is the problem: I have been modifying the local Administrators group. The Administrators group now also gets wiped on servers, which means that the only user left in there is the local Administrator account, effectively kicking the domain admin out of the system! Of course the above policy does not apply to the servers so that the Domain Admin is not added and I am getting locked out of domain servers.

    What am I missing, what am I doing wrong and how can I get rid of the Restricted Groups setting altogether without it messing up all the rights again?

    Saturday, January 21, 2017 3:21 PM

Answers

  • That is the way the Restricted Groups feature works. Any members you specify are made members of the group. Any existing members that you do not specify are removed. That is the purpose of the feature, so that you can control the group membership, especially of the local Administrators groups on all PCs. Any members you do not know about are removed.

    Edit: You may have seen these links, but they explain:

    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    https://technet.microsoft.com/en-us/library/cc957640.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Saturday, January 21, 2017 3:37 PM
  • Am 21.01.2017 um 19:03 schrieb andreulcx:
    > Well, this was *exactly* the information I got and used.
     
    if it doesn´t work, you are doing it wrong ;-)
     
    probably another GPO is taken place?
    If you edit Restricted groups, the first group you mention is yourgroup,
    then make them a member of administrators. That will add your group.
     
    As an alternativ use GPP Local Users and groups. Much more easier to
    configure.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Sunday, January 22, 2017 2:31 PM
  • Sorry everybody for not following up to this - been sick a coupe of days - I am still not sure what happened with the inheritance in the wrong way, but with all mentions of Restricted groups in the GPO things got back to normal. The nice thing here is that by deleting the Restricted groups GPO also the complete contents of the previous group membership was restored, it was just a couple of stressful days of things not working OK, before the GPO got applied everywhere. Valuable lesson learned: don't touch the Restricted Groups setting. Saves your stress level. Set the required additional membership with Local Users & Groups GPO and that's working just fine.
    Monday, January 30, 2017 8:18 AM

All replies

  • That is the way the Restricted Groups feature works. Any members you specify are made members of the group. Any existing members that you do not specify are removed. That is the purpose of the feature, so that you can control the group membership, especially of the local Administrators groups on all PCs. Any members you do not know about are removed.

    Edit: You may have seen these links, but they explain:

    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    https://technet.microsoft.com/en-us/library/cc957640.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Saturday, January 21, 2017 3:37 PM
  • Hello Richard,

    thank you for replying. I have seen these links and seem to misunderstand the "Tip 2" of the first link (I was following that and didn't quite come to the desired result). My problem is: why is this policy getting applied to computers, that are not members of the OU, the GPO is linked to? Why are members from Administrators group on servers (which are, of course, nowhere near the OU where these computers are located) also being deleted?

    And how do I revert my changes - I know (now, meh) that I can add members using GPO/Computer configuration/Preferences/Control panel settings/Local users and groups, or I can add them manually, whatever, I just cannot seem to be able to get rid of the policy which deletes members of the Administrators group. Tried disabling the policy - all members got deleted (and re-deleted if I manually add, when I do gpupdate). Tried deleting the policy. No change. I'd currently most prefer that this GPO would stop interfering with the groups and let me manually manage it again. What am I missing?

    Thanks, Andrej

    Saturday, January 21, 2017 4:02 PM
  • Group policies workflow would be defined as LSDOU... This is what i have learnt first applies to L and continues teh hierachy

    L- Local

    S-Site

    D- Domain

    OU-Org unit 

    Since you have set up the GP on a specific OU, i think (Probably) blocked inheritance feature should help you to put a wall between L, S, D, OU. Restricting the policy to a OU and not allowing it to spread across


    • Edited by Akabe Saturday, January 21, 2017 4:12 PM
    Saturday, January 21, 2017 4:12 PM
  • I am not really sure what you mean with "blocked inheritance" - seems I have problems with understanding GPO (and I was sure I understood it pretty well when doing MCSA exams). This GPO is linked to a single OU, containing the computers I would like to manage with it. But from what it seems is, the domain figured out I want to manage the Administrators group domainwide. The group got wiped everywhere, the groups I wanted to add in the GPO only got applied in the selected OU, everywhere else I was left with an empty Administrators group (i.e. with only (local) Administrator as the member).

    Now I just want the GPO to stop wiping my group. I don't see any inheritance options...

    Saturday, January 21, 2017 4:24 PM
  • Hi,
     
    Am 21.01.2017 um 16:37 schrieb Richard Mueller [MVP]:
    > That is the way the Restricted Groups feature works. Any members you
    > specify are made members of the group. Any existing members that you
    > do not specify are removed.
     
    but only if you define
     
    GroupName:    Member
    Administrators    Your Group = Replace
     
    GroupName:    Member of (!)
    Your Group    Administrators    = Merge
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Saturday, January 21, 2017 5:36 PM
  • Well, this was *exactly* the information I got and used.


    Restricted groups, Add group, add the Local Admins group I made earlier, This group is a member of Administrators - so this should merge. And it made mayhem in my network.

    Saturday, January 21, 2017 6:03 PM
  • Am 21.01.2017 um 19:03 schrieb andreulcx:
    > Well, this was *exactly* the information I got and used.
     
    if it doesn´t work, you are doing it wrong ;-)
     
    probably another GPO is taken place?
    If you edit Restricted groups, the first group you mention is yourgroup,
    then make them a member of administrators. That will add your group.
     
    As an alternativ use GPP Local Users and groups. Much more easier to
    configure.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Sunday, January 22, 2017 2:31 PM
  • Haha Mark, this reads as the infamous "you are holding it wrong" iPhone 4 "solution to the problem".

    This is exactly the way I have done it. I have created a "Local admins" group. Created a new GPO by linking it to an OU, restricted groups, add group, "local admins" group, "This group is a member of" - Administrators (i.e. Builtin/Administrators, not doman/Administrators). While I understand this could cause problems in the OU selected if something does not work, what bothers me is that this policy purged *all* Administrators groups throughout the domain, then went to the selected OU and added the "Local admins" group there to the PCs in that group. The rest of the domain was left purged with nobody but the Administrator account in builtin/Administrators group. What's more - somehow it did that on the domain controllers as well since this left me without the option to remotely login to the server ("To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right...") - and you don't even have a builtin/Administrators group on a DC :S

    Again, the GPO was only linked to an OU. From what I know about GPO, this should limit the GPO actions to that particular OU, no part of this GPO should apply anywhere else in the domain. My god I was wrong :(

    And yes, I still have no idea where I went wrong. Whatever I look at, this ought to be done by the book and I got mayhem. Unfortunately I haven't remembered to first use the Local users and groups GPO, if that works any better.

    Will try getting rid of this GPO if I can then manage rights more normally through Local Users and Groups GPO...

    Monday, January 23, 2017 7:49 AM
  • > This is exactly the way I have done it. I have created a "Local admins" group. Created a new GPO by linking it to an OU, restricted groups, add group, "local admins" group, "This group is a member of" - Administrators (i.e. Builtin/Administrators, not doman/Administrators). While I understand this could cause problems in the OU selected if something does not work, what bothers me is that this policy purged *all* Administrators groups throughout the domain, then went to the selected OU and added the "Local admins" group there to the PCs in that group. The rest of the domain was left purged with nobody but the Administrator account in builtin/Administrators group. What's more - somehow it did that on the domain controllers as well since this left me without the option to remotely login to the server ("To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right...") - and you don't even have
    > a builtin/Administrators group on a DC :S
     1. You cannot nest local groups, so your "Local Admins -> Administrators" will not work anyway.
    2. Even on a DC there's a builtin\administrators group, although it is not a local group, but a domain local group :-)
     > Again, the GPO was only linked to an OU. From what I know about GPO, this should limit the GPO actions to that particular OU, no part of this GPO should apply anywhere else in the domain. My god I was wrong :(
     No, you are right. If a GPO is linked to an OU, it will affect computers in that OU only. This is the way it works since GPOs were introduced, and I've never seen that going wrong.
     Whatever you really did - if it changed domain groups, it was linked to the domain or the DC OU. (Did you move domain controllers to other OUs???)
     > Unfortunately I haven't remembered to first use the Local users and groups GPO, if that works any better.
     It works better because it is easier to handle. Unchecking (or checking) a box that is labeled "remove all members" is really obvious, opposed to the irritations with "members" and "member of" in restricted groups :)
     
    Monday, January 23, 2017 8:48 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 8:08 AM
    Moderator
  • Sorry everybody for not following up to this - been sick a coupe of days - I am still not sure what happened with the inheritance in the wrong way, but with all mentions of Restricted groups in the GPO things got back to normal. The nice thing here is that by deleting the Restricted groups GPO also the complete contents of the previous group membership was restored, it was just a couple of stressful days of things not working OK, before the GPO got applied everywhere. Valuable lesson learned: don't touch the Restricted Groups setting. Saves your stress level. Set the required additional membership with Local Users & Groups GPO and that's working just fine.
    Monday, January 30, 2017 8:18 AM
  • Hi,
    Thanks for your update and share, it will be greatly helpful to others who have the same question. And we would appreciate you to mark the helpful replies as answers.
    In addition, please take care of yourself.:)
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 31, 2017 1:40 AM
    Moderator