If you set a different restricted groups policy at the servers level it will override, but it would have to contain those settings/groups you want.
We don't set ours at default domain policy as computers never land anywhere but in an OU (we've redirected the default containers). Instead, we link the policies up at the ous, including something different at servers level (under another ou structure). -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Tuesday, June 30, 2015 7:12 AM To: [email protected] Subject: [NTSysADM] Removing a Restricted Group via GPO In our Default Domain Policy, we have a Restricted Group. This is a domain group of users we want to be local admins on all PCs (such as my field techs). This is all set up and working. Here's the problem - since this is part of the Default Domain Policy, *every* computer joined to the domain gets this setting, including ones that shouldn't (such as servers). Now, we keep all our various servers in 1 OU, a separate OU from all the client PCs. This Servers OU has it's own GPO (with blocked inheritance). My question: is there a way for this Servers GPO to be able to remove a Restricted Group, if it exists? This way, when we move a server machine account to the Servers OU, this LocalAdminsGroup won't exist as a member of the local Administrators group? I see references everywhere on how to add to the Restricted Group, but not how to remove it ... I don't want my field techs to have local admin access on the servers, only on the client PCs. Thanks
