Re: problem with "Restricted Groups" within a GPO linked to my dom
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 22 Jan 2006 11:26:46 -0600
You are saying that the users no longer appear as members of the RG but the
member of tab on their user account shows that they are still members? If
that is the case maybe you need to close ADUC and reopen it to refresh it.
Try running the command net user username on a domain controller to see what
it shows for group membership for a user after they have been removed from a
RG to see if it shows proper group membership and be sure to logoff and
logon again if you are using the test user account so that their security
token is refreshed. If problems persist and you have more than one DC make
sure they are replicating properly with tools like dcdiag, replmon, and
gpotool. --- Steve
"Gregory Mode" <GregoryMode@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E691C2D-DE8B-41A2-80A9-99486471611B@xxxxxxxxxxxxxxxx
> Thanks for your quick response....I've tested and I'm getting partial
> results.
>
> I edited the "Restricted Groups" in the GPO and it now has the following
> groups: Administrators (abc.com/Builtin), Backup Operators
> (abc.com/builtin),
> Domain Admins (abc.com/anOUthatImovediTto), Enterprise Admins
> (abc.com/anOUthatImovediTto), Schema Admins (abc.com/anOUthatImovediTto).
>
> I then added all the above groups to 2 users in the
> 'abc.com/anOUthatImovediTto' and to 1 user in 'abc.com/anotherOUiCreated'
>
> Results when I performed a 'gpupdate /force' was that all three users had
> the Administrators and Backup Operators groups removed from the users, but
> the Domain Admins, Enterprise Admins, and Schema Admins were still listed
> in
> all three users 'Members Of' tab.
>
> What's going on now?
>
>
> "Steven L Umbach" wrote:
>
>> Restricted Groups does not prevent a user that can add members to a RG
>> from
>> doing so. What RG will do however is to enforce membership of the RG at
>> the
>> next Group Policy computer configuration refresh which for a domain
>> controller is no more then five minutes by default or you can force a
>> refresh at which time you should see the unauthorized user removed from
>> the
>> RG. --- Steve
>>
>>
>> "Gregory Mode" <GregoryMode@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:8E0CA82E-5DDB-42E0-AC39-29934002A5F3@xxxxxxxxxxxxxxxx
>> > I'm currently trying to set up "Restricted Groups" in my domain and I'm
>> > having problems (I think).
>> >
>> > From my understanding, when I define a group(s) within the "Restricted
>> > Groups" for a policy (that policy being linked to the domain, *enforced
>> > and
>> > *enabled) that group can no longer be modified (users cannot be added
>> > nor
>> > removed from that group in 'Active Directory Users and Computers' mmc).
>> >
>> > I defined 'Enterprise Admins' within "Restricted Groups," and for the
>> > Enterprise Admins, I defined one administrator user as a member of. I
>> > restarted the Server to have the policy take effect, signed on as
>> > totally
>> > different user with administrator privileges, and with that user
>> > account
>> > was
>> > able to add any user to the 'Enterprise Admins' group.
>> >
>> > What am I missing?
>> >
>>
>>
>>
.
- Follow-Ups:
- Re: problem with "Restricted Groups" within a GPO linked to my dom
- From: Gregory Mode
- Re: problem with "Restricted Groups" within a GPO linked to my dom
- References:
- Re: problem with "Restricted Groups" within a GPO linked to my domain.
- From: Steven L Umbach
- Re: problem with "Restricted Groups" within a GPO linked to my domain.
- Prev by Date: Logon Type 2 during non business hours
- Next by Date: Re: Teen Website security
- Previous by thread: Re: problem with "Restricted Groups" within a GPO linked to my domain.
- Next by thread: Re: problem with "Restricted Groups" within a GPO linked to my dom
- Index(es):
Relevant Pages
|
