Restricted Group Problem My Scenario and problem..what am i doing

Discussion in 'Active Directory' started by BookerW, Aug 28, 2006.

  1. BookerW

    BookerW Guest

    On my XP box with GPMC installed, I setup a GPO as follows

    1. Open up a GPO
    2. Within Computer Configuration, Restricted Groups, I click to Add Group
    3. Click Browse, Chose Local Computer Name, choose Administrators Group\
    4. When the Administraotrs Group Properties box pops up, on the members of
    this group, I add Domain admins, another domain group, and then i choose the
    local computer name and add the renamed account that we use on all of our
    local boxes that is the built in administrator account

    5. I do not edit or change anything in the "This group is a member of" section

    6. I think click Apply and OK

    7. Next, I go into the properties of the GPO itelf, the scope, details,
    settings amd delegation tabs

    8. On the scope, I remove authenticated users and add a domain testuser,
    and the domain admins group

    9. Inside of Delegation, testuser has read/apply GP permission and domain
    admins has R/W and Apply group Policy, etc...


    When i go to the computer that this GPO is linked to (Linked to the OU that
    the computer is in), no matter who I log on as.. testuser or a domain adins,
    in the Policy Summary, for my restricted Group GPO, it shows in the Denied
    GPO's.. reason denied: Inaccessible!!


    What gives!!??

    Thanks
     
    BookerW, Aug 28, 2006
    #1
    1. Advertisements

  2. Hi,

    Restircted Groups applies to the computer and not to a specific user. So,
    if you wish to security filter the policy you must filter it based on
    computer accounts. The computers you wish to apply this policy must have
    Read and Apply Group Policy Permissions. Normally, the computer accounts
    get these permissions via the Authenticated Users group.


    Hope this helps,

    Brian Delaney
    Microsoft Canada
     
    Brian Delaney [MSFT], Aug 29, 2006
    #2
    1. Advertisements

  3. BookerW

    BookerW Guest

    That makes perfect sense. I will add the Computer account and see what
    happens.


    Thanks
     
    BookerW, Aug 29, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.