Anybody use restricted groups ?
I've noticed that all our PCs have a default list of local administrators.
This has been done via group policy: the GPO is linked at the domain
so effects all OUs and uses "Restricted Groups" with just one group:
Looking at it's properties I see under "Members of this group"
a list of users/groups.
I need more fine grained control and am not sure on the best way to approach it?
If I delete this "Restricted Groups" setting from the GPO which applies at the domain level
what will happen ?
Will local admins revert to whatever they where previously on each PC or will they just stay as is?
Should I set "Restricted Groups" via another GPO at a lower level OU e.g. using inheritance ?
Anybody use restricted groups ?
We use restricted groups for local administrators for many Reasons. For one it's a quick way to give someone the ability to install specific software on their workstation without compromising the whole system by making them Domain Admins which I have seen
Last edited by Davit2005; 10th February 2014 at 03:23 PM.
Not sure what your doing but GPP can edit local accounts. I use this to disable some old local accounts and set the administrator password incase some pupil figures out how to hack the local admin password... it'll set it right back
Generally If you make a change through GP the clients will hold that setting until it is changed again. If you want to see what happens when you make changes on a GPO you can always disable rather than delete it. That way should you accidentally lock yourself out of something you can always re-enable the GPO and reboot the client.
If you want to test some GPO settings create a test OU and move a client & Test User into that and create a new GPO there. Once testing is done you can either add it to specific OU or further up the chain to apply to more Objects.
mrstrong (12th February 2014)
Yep test, test. You can create a gpo with restricted groups, add a ad group l. Then apply it to a ou with the pcs the user/s need to be administrator of.
ok thanks all,
I'll do some testing and then if looks ok I'll probably edit the GPO linked at the domain level so the Administrators group
has only proper admin members e.g. Domain admins
Then link a new GPO with a restricted groups setting to a lower down OU e.g. "office computers" with say "office staff" in administrators group
Looks ok after testing. Made some notes as I went along:
Disabled GPO link at domain. then after a gpupdate and machine reboot I see local admins are back to old values
Can check members via "net localgroup administrators"
So re-enabled link but tweaked members of BUILTIN\Administrators
Linked a new GPO at lower down OU but used caution as "last writer wins" (not merged)
Decided to create a “NewGroup” with extra admin users in and added it as restricted group
then added it as a "member of" Administrators
I've changed the password a bit but not made it longer just swapped out some chars.Code:
It's may be reversible but not quite plain text. You'd need hard drive access to see it anyway and I think anything less than whole drive encryption won't help that.
You are using GPP to set a local password on a machine. You edited the XML file in the sysvol folder on the server and that's what it showed?
And, I would be more then happy to destroy any misconceptions you have about preventing users from being able to access the c drive.
Last edited by MordyT; 13th February 2014 at 05:23 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)