how to use restricted group GPO for local Power users

Discussion in 'Active Directory' started by luc bonenfant, May 21, 2008.

  1. Hello,

    I try to add domain user group into local power users group via restricted
    group GPO.

    It works fine for admin local group but impossible to applicate onto power
    users local group.

    Thank's
     
    luc bonenfant, May 21, 2008
    #1
    1. Advertisements

  2. Howdie!

    You can use the local SID for the Power Users group. Windows is smart
    enough to translate it afterwards:

    S-1-5-32-547

    cheers,

    Florian
     
    Florian Frommherz [MVP], May 21, 2008
    #2
    1. Advertisements

  3. luc bonenfant

    Jorge Silva Guest

    Hi
    It should work without problems. I have some domain security groups added
    via RGP without problems. Can you explain how are you doing? what errors are
    you getting?

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 21, 2008
    #3
  4. luc bonenfant

    Herb Martin Guest

    Use the SID as Florian says, or use the MMC from an XP or Vista
    box where the Power Users group exists -- this way it can be picked
    from the list of groups.

    Do NOT use this method (picking) from a DC where the group is
    not available -- use the SID there.

    (I had always suspected the SID would work but thanks to Florian
    for comfirming it because I had never tested that.)
     
    Herb Martin, May 21, 2008
    #4
  5. luc bonenfant

    Jorge Silva Guest

    -I'm sorry to desagree, but that must work in both ways.
    -It works doing it from a DC a Server or a Workstation.
    -I already tested many times and works.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 21, 2008
    #5
  6. luc bonenfant

    Herb Martin Guest

    Ok, but you don't seem to be disagreeing. <grin>
     
    Herb Martin, May 21, 2008
    #6
  7. luc bonenfant

    Jorge Silva Guest

    -Yes I'm, you don't have to use SIDs or doing it exclusively from a XP
    workstation!!! You can also do it from a DC or any other machine that you
    want.

    -You said "Do NOT use this method (picking) from a DC where the group is not
    available -- use the SID there." this statement is wrong, you can do it from
    a DC without problems.
    -That's why I said from in the first post how the poster was doing that
    configuration and what errors was he getting from that.


    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 21, 2008
    #7
  8. luc bonenfant

    Herb Martin Guest

    All reports I have seen say that the DCs don't show this group because
    there is no Power Users group on the DC.

    Are you saying that is incorrect, that the group actually shows by name?
     
    Herb Martin, May 21, 2008
    #8
  9. luc bonenfant

    Jorge Silva Guest

    All reports I have seen say that the DCs don't show this group because
    No. I'm saying that the fact of not having that group on DCs don't prevent
    you from creating a RGP and make users members of that group
    :p


    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 22, 2008
    #9
  10. thanks a lot for your answers.

    in fact I do the same as local admins but previously I must put a domain
    users on the poweruser local group to enable It for selection instead of
    local admins.
     
    luc bonenfant, May 22, 2008
    #10
  11. luc bonenfant

    Herb Martin Guest

    Then we were agreeing (again) <grin>
     
    Herb Martin, May 22, 2008
    #11
  12. luc bonenfant

    Jorge Silva Guest

    We are? hum... Why the use of SID when you don't need that?

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 22, 2008
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.