Restricted Groups - Local Users Group

Discussion in 'Update Services' started by jmalloney, Oct 13, 2005.

  1. jmalloney

    jmalloney Guest

    I have used restricted groups in GP to control membership of both the local
    users and administrators groups. I added the "domain users" group to
    "Users" and "Domain Admins" group to "Administrators". The main reason I
    did this was that I wanted all domain users to be restricted from making
    system-wide changes to their local pc. The policy worked as I could see
    that their local groups reflected my settings at the domain. The problem is
    that although domain users are in the "users" group they are still able to
    make system-wide changes. I tested this, as a user I can make myself a
    local admin, delete system files...etc...

    In the past I never used group policy for this. I would simply open control
    panel, users, and add the user to the "restricted users" group. This always
    worked well, and prevented them from making any critical changes to the
    system. My understanding was that the "users" in computer management was
    the same as the "restricted users" group shown in control panel\users. What
    am I doing wrong?? I want all my domain users to be restricted through group

    jmalloney, Oct 13, 2005
    1. Advertisements

  2. jmalloney

    M. Eteum Guest

    Being in the Local Administrators group, if I'm not mistaken, one can do
    whatever he pleases, including block any inheritance from the Domain
    Group Policy settings or disjoin the machine(s) from the domain.

    I've been struggling as well on how to prevent any Local Administrators
    to block Domain-wide Group Policy Settings? e.g. Local Administrator can
    do everything on the machine EXCEPT blocking the domain-wide Group
    Policy settings, change machine name, change network setting, ability to
    disjoin the domain etc.

    M. Eteum, Oct 14, 2005
    1. Advertisements

  3. jmalloney

    jmalloney Guest

    OK well I figured it out. When I added domain users to the local users
    group via Restricted Groups the policy removed the default INTERACTIVE and
    AUTHENTICATED USERS from the local users group. After I added the groups
    back into restricted groups my policy worked fine.

    Thanks for all your help!!
    jmalloney, Oct 14, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.