Re: problem with "Restricted Groups" within a GPO linked to my dom

GOT IT....Thanks! It was not applying to the Domain Controllers OU and that
was causing the issue.

Though I did check the inheritance on the Domain Controllers OU and the
precedence was set as shown below:

1 Default Domain Controllers Policy
2 Default Domain Policy

......I had initially set up the Restricted Groups within the Default Domain
Policy. So I'm still unclear as to why I had to set up the same Restricted
Groups in the Default Domain Controllers Policy.

Any clarification will be helpful, but not necessary.
Thanks for your help Steven and Roger!

-Greg


"Roger Abell [MVP]" wrote:

> "Gregory Mode" <GregoryMode@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:46093ED8-AD07-4652-8A27-08D0897D3B23@xxxxxxxxxxxxxxxx
> > OK, I've now tested this on two seperate labs and I'm getting the same
> > response as I listed earlier. Net User shows my test subjects as having
> > the
> > same group membership as is shown in ADUC. I'm not familiar with dcdiag,
> > and
> > have never heard of a gpotool <--is that GPMC?
> >
> > So... what's true for these labs and my tests = Groups in the 'Built In'
> > container that are placed in the Restricted Groups policy are persistently
> > kicking out users that I try to add thereafter. Other groups (Enterprise
> > Admins, Domain Admins) that are placed within the Restricted Groups policy
> > *do not* kick out users added thereafter.
> >
> > Any answers? Does this happen for anyone else?
> >
>
> No. That is not my experience. I will see a brief (up to 5 minute)
> deviation but then the membership is reset.
> Check that all that is listed to be a member of the restricted group
> definition actually does exist. Make sure that the GPO carrying the
> Restricted Group definition is applying to the Domain Controllers OU
> as the highest priority (relative to the Restricted Group definition) GPO.
>
> >
> > "Steven L Umbach" wrote:
> >
> >> You are saying that the users no longer appear as members of the RG but
> >> the
> >> member of tab on their user account shows that they are still members? If
> >> that is the case maybe you need to close ADUC and reopen it to refresh
> >> it.
> >> Try running the command net user username on a domain controller to see
> >> what
> >> it shows for group membership for a user after they have been removed
> >> from a
> >> RG to see if it shows proper group membership and be sure to logoff and
> >> logon again if you are using the test user account so that their security
> >> token is refreshed. If problems persist and you have more than one DC
> >> make
> >> sure they are replicating properly with tools like dcdiag, replmon, and
> >> gpotool. --- Steve
> >>
> >>
> >>
> >> "Gregory Mode" <GregoryMode@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:0E691C2D-DE8B-41A2-80A9-99486471611B@xxxxxxxxxxxxxxxx
> >> > Thanks for your quick response....I've tested and I'm getting partial
> >> > results.
> >> >
> >> > I edited the "Restricted Groups" in the GPO and it now has the
> >> > following
> >> > groups: Administrators (abc.com/Builtin), Backup Operators
> >> > (abc.com/builtin),
> >> > Domain Admins (abc.com/anOUthatImovediTto), Enterprise Admins
> >> > (abc.com/anOUthatImovediTto), Schema Admins
> >> > (abc.com/anOUthatImovediTto).
> >> >
> >> > I then added all the above groups to 2 users in the
> >> > 'abc.com/anOUthatImovediTto' and to 1 user in
> >> > 'abc.com/anotherOUiCreated'
> >> >
> >> > Results when I performed a 'gpupdate /force' was that all three users
> >> > had
> >> > the Administrators and Backup Operators groups removed from the users,
> >> > but
> >> > the Domain Admins, Enterprise Admins, and Schema Admins were still
> >> > listed
> >> > in
> >> > all three users 'Members Of' tab.
> >> >
> >> > What's going on now?
> >> >
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Restricted Groups does not prevent a user that can add members to a RG
> >> >> from
> >> >> doing so. What RG will do however is to enforce membership of the RG
> >> >> at
> >> >> the
> >> >> next Group Policy computer configuration refresh which for a domain
> >> >> controller is no more then five minutes by default or you can force a
> >> >> refresh at which time you should see the unauthorized user removed
> >> >> from
> >> >> the
> >> >> RG. --- Steve
> >> >>
> >> >>
> >> >> "Gregory Mode" <GregoryMode@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> >> message
> >> >> news:8E0CA82E-5DDB-42E0-AC39-29934002A5F3@xxxxxxxxxxxxxxxx
> >> >> > I'm currently trying to set up "Restricted Groups" in my domain and
> >> >> > I'm
> >> >> > having problems (I think).
> >> >> >
> >> >> > From my understanding, when I define a group(s) within the
> >> >> > "Restricted
> >> >> > Groups" for a policy (that policy being linked to the domain,
> >> >> > *enforced
> >> >> > and
> >> >> > *enabled) that group can no longer be modified (users cannot be
> >> >> > added
> >> >> > nor
> >> >> > removed from that group in 'Active Directory Users and Computers'
> >> >> > mmc).
> >> >> >
> >> >> > I defined 'Enterprise Admins' within "Restricted Groups," and for
> >> >> > the
> >> >> > Enterprise Admins, I defined one administrator user as a member of.
> >> >> > I
> >> >> > restarted the Server to have the policy take effect, signed on as
> >> >> > totally
> >> >> > different user with administrator privileges, and with that user
> >> >> > account
> >> >> > was
> >> >> > able to add any user to the 'Enterprise Admins' group.
> >> >> >
> >> >> > What am I missing?
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Want to add users to their local Admin group
    ... You can accomplish this using Restricted Groups feature of the Group Policy. ... policy - you control its membership ultimately - meaning, ... while Domain wide being part of the Domain Users. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default Domain password policy issue
    ... The domain controllers are members of authenticated users. ... as for applied Group Policy objects for computer settings. ... Policy replication/version problems. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.windows.group_policy)
  • Re: Blocking port scans on local network
    ... You can implement enumeration of SAM accounts and shares with probably no ... on domain controllers via Domain Controller Security Policy depending of ... domain computer that has a "require" ipsec policy assigned to it. ... between domain computers and domain controllers as the domain controllers ...
    (microsoft.public.win2000.security)
  • RE: Account Lockout Policy
    ... he didn't say that the policy would be *linked* at ... the Domain Controllers OU, just that the domain password policy would apply ... the Domain Controllers OU will still use the password policy that is defined ... they still utilize the domain-level account settings, because, again, the ...
    (Focus-Microsoft)
  • Re: Blocking port scans on local network
    ... > additional restrictions for anonymous connections in this security guide. ... > do not recommend applying ipsec policy wide scale without some testing of ... > between domain computers and domain controllers as the domain controllers ...
    (microsoft.public.win2000.security)