On Tue, Jun 30, 2015 at 10:40 AM, Miller Bonnie L. <[email protected]> wrote: > If you set a different restricted groups policy at the servers level it will > override, but it would have to contain those settings/groups you want.
That's just it - I don't have any group I want for the servers, instead. I really don't want to make an empty AD group, just so I have something different to use for this one GPO, so that it will (effectively) remove the one I want, and instead leave one I also don't want but which isn't a threat ... > We don't set ours at default domain policy as computers never land anywhere > but in an OU (we've redirected the default containers). Instead, we link the > policies up at the ous, including something different at servers level (under > another ou structure). Yeah, ours should be in the GPO for the client computers. I didn't make this change to the default domain policy, tho, I only heard about it today, when the boss complained about finding a domain group in a servers local administrators group. :-) > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael Leone > Sent: Tuesday, June 30, 2015 7:12 AM > To: [email protected] > Subject: [NTSysADM] Removing a Restricted Group via GPO > > In our Default Domain Policy, we have a Restricted Group. This is a domain > group of users we want to be local admins on all PCs (such as my field > techs). This is all set up and working. > > Here's the problem - since this is part of the Default Domain Policy, > *every* computer joined to the domain gets this setting, including ones that > shouldn't (such as servers). > > Now, we keep all our various servers in 1 OU, a separate OU from all the > client PCs. This Servers OU has it's own GPO (with blocked inheritance). > > My question: is there a way for this Servers GPO to be able to remove a > Restricted Group, if it exists? This way, when we move a server machine > account to the Servers OU, this LocalAdminsGroup won't exist as a member of > the local Administrators group? I see references everywhere on how to add to > the Restricted Group, but not how to remove it ... > I don't want my field techs to have local admin access on the servers, only > on the client PCs. > > Thanks > >
