Restricted groups GPO deleted but still applying to WS's...

Discussion in 'Active Directory' started by Isaac Story, Jan 13, 2006.

  1. Isaac Story

    Isaac Story Guest

    I started using the restricted groups GPO to add a domain group to local
    admin accounts on workstations and it had an unforseen consequence. It
    replaced all local administrator account membership on every workstation.
    This was bad since we have a small handful of users that need admin rights to
    thier workstations only. So I removed that GPO and fixed these users that had
    thier rights taken away. Now for some reason there are a couple workstations
    that still appear to be applying the GPO when it doesn't even exist. Has
    anyone ever seen this? or, is there a recommended method to diagnosing this
    problem? I found the KB on viewing the group policy application history in
    the registry, but the data in the registry doesn't really make any sense or
    help me at all.
    Isaac Story, Jan 13, 2006
    1. Advertisements

  2. Check the userenv.log on those machines. They're probably using an old GPO
    (because SYSVOL replication has broken on a machine - this is possible in XP
    as it will still process out-of-sync versions) or are unable to contact a DC
    and are using the current settings (cache).
    Paul Williams [MVP], Jan 22, 2006
    1. Advertisements

  3. Restricted groups, as far as I'm aware, has no merge feature. It wasn't
    designed to help roll out group membership, but rather to enforce group
    membership to rule out inconsistencies and mistakes.

    Restricted groups needs to be planned. You must not forget to add
    DOMAIN\Domain Admins and Administrator if you are pushing this out to member

    If you just wish to add a group to the local admins, and have many bespoke
    local admin group members, you should use a startup script:
    Paul Williams [MVP], Jan 22, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.