Glad to hear it's fixed. Restricted Groups will refresh the local group to include ONLY what's in the policy setting every policy refresh, so, yes, you'll have to manually add the local admin account, domain admins, etc. --Brian
-----Original Message-----
From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Tue 4/27/2004 1:36 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] Help with Restricted Groups
Looks like I was thinking about this backwards. When you do Add Group,
thatÃââs referring to the local group on the machines in the OU, not the
universal group I wanted to add. Once I got that figured out, I added the Universal
group to the Members area. After a while, it showed up correctly on the member
machine. Then I discovered the default ÃâÅDomain AdminsÃâ was gone. I thought
that was what several people were talking about that was fixed in SP4, but
nevertheless, I added Domain Admins to the list also, and now both groups are members
of the machineÃââs local Admins.
Thanks Ãââ just wanted to share the solution. If someone is feeling up to
it, I wouldnÃâât mind a clearer explanation of what the SP4 fix actually did with
regards to Restricted Groups. Thanks again!
<mc>
-----Original Message-----
From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 27, 2004 1:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Help with Restricted Groups
Mark-
Restricted Groups errors are almost always reflected in the winlogon.log in
c:\windows\security\logs. Poke around in there and see what you can find.
--Brian
-----Original Message-----
From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Tue 4/27/2004 10:28 AM
To: [EMAIL PROTECTED]
Cc:
Subject: [ActiveDir] Help with Restricted Groups
I had posted some questions a week or so ago, which Guido and some
others kindly responded to. ItÃÂÃâÂÃâÂs still not quite doing what I thought
it would do, so if youÃÂÃâÂÃâÂll bear with me, IÃÂÃâÂÃâÂd like to
outline my steps and see whatÃÂÃâÂÃâÂs wrong.
Three Windows 2000 domains, a root and two subs. A Universal group
UnivAdmins has been created in the root domain. It contains members whose accounts
exist in the 2 subdomains.
In each of the 2 subs, I created a Servers OU, and placed some test
Win2K SP4 servers in the OU. Then I set up a GPO applied to that OU. Under Computer
Configuration/Windows Settings/Security Settings/Restricted Groups, I did Add Group,
and added my UnivAdmins Group. Then I right-clicked and did Security.
HereÃÂÃâÂÃâÂs where the confusion comes in: I tried adding
ÃÂÃâÂÃâAdministratorsÃÂÃâÂàto the ÃÂÃâÂÃâThis group is a
member ofÃÂÃâÂàdialog, with the intention that this would make the Universal
group a member of the local Administrators on each server inside the OU that this GPO
applies to. I have waited for replication, applied secedit /refreshpolicy, tried
rebooting the member server, etc. but the universal group never shows up in the
Administrators group of the local server. Can someone help me out with this?
Thanks!
Mark Creamer
Systems Engineer
Cintas Corporation
Honesty and Integrity in Everything We Do
<<winmail.dat>>
