RE: [ActiveDir] Help with Restricted Groups

[joe]

ï I haven't played with this but my understanding is that you do what you mention in your first post. Created a restricted group for the group name that you want to add and then place in the memberof section what groups you want it added to...   Now my question would be... Where does the new functional code need to be at for this to work? I would expect on the client as that is what is processing the GPO.   There is quite a discussion on this in the archives if you want to go back to it.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, April 27, 2004 2:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help with Restricted Groups Looks like I was thinking about this backwards. When you do Add Group, thatâs referring to the local group on the machines in the OU, not the universal group I wanted to add. Once I got that figured out, I added the Universal group to the Members area. After a while, it showed up correctly on the member machine. Then I discovered the default âDomain Adminsâ was gone. I thought that was what several people were talking about that was fixed in SP4, but nevertheless, I added Domain Admins to the list also, and now both groups are members of the machineâs local Admins.   Thanks â just wanted to share the solution. If someone is feeling up to it, I wouldnât mind a clearer explanation of what the SP4 fix actually did with regards to Restricted Groups. Thanks again!   <mc> -----Original Message----- From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 27, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Help with Restricted Groups   Mark-   Restricted Groups errors are almost always reflected in the winlogon.log in c:\windows\security\logs. Poke around in there and see what you can find.   --Brian -----Original Message----- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tue 4/27/2004 10:28 AM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Help with Restricted Groups I had posted some questions a week or so ago, which Guido and some others kindly responded to. ItÃââs still not quite doing what I thought it would do, so if youÃââll bear with me, IÃââd like to outline my steps and see whatÃââs wrong.   Three Windows 2000 domains, a root and two subs. A Universal group UnivAdmins has been created in the root domain. It contains members whose accounts exist in the 2 subdomains.   In each of the 2 subs, I created a Servers OU, and placed some test Win2K SP4 servers in the OU. Then I set up a GPO applied to that OU. Under Computer Configuration/Windows Settings/Security Settings/Restricted Groups, I did Add Group, and added my UnivAdmins Group. Then I right-clicked and did Security.   HereÃââs where the confusion comes in: I tried adding ÃâÅAdministratorsÃâ to the ÃâÅThis group is a member ofÃâ dialog, with the intention that this would make the Universal group a member of the local Administrators on each server inside the OU that this GPO applies to. I have waited for replication, applied secedit /refreshpolicy, tried rebooting the member server, etc. but the universal group never shows up in the Administrators group of the local server. Can someone help me out with this?   Thanks!   Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do