none
Group Policy to Remove Admin Groups Except One

    Question

  • I have a GPO that removes all Admin Groups from all domain machines.  How can I get it to remove all except one Admin Group though? Thanks.
    Thursday, April 20, 2017 7:29 PM

Answers

  • are you using a script, restricted groups, or group policy preferences?

    Group policy preferences. 

    It was easier to remove all of them but later on it was discovered that one or two groups needed to stay put.

    we use GPP-LU&G to "Delete all member groups" and then it re-populates only the groups we want to be nested as members. This is because we don't know who has crept in there over time, so we dump all members and only put in the ones we want.

    Or, if you aren't concerned with who might be in there but only want to ensure that your specific/desired members are definitely in there, don't use the "Delete all member groups" feature, just add the members you want.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by Don P B Thursday, April 20, 2017 9:43 PM
    Thursday, April 20, 2017 9:12 PM

All replies

  • are you using a script, restricted groups, or group policy preferences?
    Thursday, April 20, 2017 8:06 PM
  • are you using a script, restricted groups, or group policy preferences?

    Group policy preferences. 

    It was easier to remove all of them but later on it was discovered that one or two groups needed to stay put.

    Thursday, April 20, 2017 8:47 PM
  • are you using a script, restricted groups, or group policy preferences?

    Group policy preferences. 

    It was easier to remove all of them but later on it was discovered that one or two groups needed to stay put.

    we use GPP-LU&G to "Delete all member groups" and then it re-populates only the groups we want to be nested as members. This is because we don't know who has crept in there over time, so we dump all members and only put in the ones we want.

    Or, if you aren't concerned with who might be in there but only want to ensure that your specific/desired members are definitely in there, don't use the "Delete all member groups" feature, just add the members you want.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by Don P B Thursday, April 20, 2017 9:43 PM
    Thursday, April 20, 2017 9:12 PM