Unless I'm misunderstanding, this is the answer:
You said the servers OU is blocking inheritance, so already the Restricted
Group setting won't apply, which I'm sure you already know, but....
I assume you're referencing to the issue where Restricted Groups are
tattooed onto the Registry, so when you move a server into the Servers OU,
it still has the group as a member of Administrators. To resolve that, set a
Group Policy Preference Local Users and Groups setting....
Action: Update
Group Name: Administrators (built-in)
Members section:
Name: <domain>\<groupyouwanttoremove>
Action: REMOVE
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Michael Leone
Sent: Tuesday, June 30, 2015 11:00 AM
To: [email protected]
Subject: Re: [NTSysADM] Removing a Restricted Group via GPO
On Tue, Jun 30, 2015 at 10:40 AM, Miller Bonnie L.
<[email protected]> wrote:
> If you set a different restricted groups policy at the servers level it
> will override, but it would have to contain those settings/groups you
> want.
That's just it - I don't have any group I want for the servers, instead. I
really don't want to make an empty AD group, just so I have something
different to use for this one GPO, so that it will
(effectively) remove the one I want, and instead leave one I also don't want
but which isn't a threat ...
> We don't set ours at default domain policy as computers never land
> anywhere but in an OU (we've redirected the default containers). Instead,
> we link the policies up at the ous, including something different at
> servers level (under another ou structure).
Yeah, ours should be in the GPO for the client computers. I didn't make this
change to the default domain policy, tho, I only heard about it today, when
the boss complained about finding a domain group in a servers local
administrators group. :-)
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Michael Leone
> Sent: Tuesday, June 30, 2015 7:12 AM
> To: [email protected]
> Subject: [NTSysADM] Removing a Restricted Group via GPO
>
> In our Default Domain Policy, we have a Restricted Group. This is a domain
> group of users we want to be local admins on all PCs (such as my field
> techs). This is all set up and working.
>
> Here's the problem - since this is part of the Default Domain Policy,
> *every* computer joined to the domain gets this setting, including ones
> that shouldn't (such as servers).
>
> Now, we keep all our various servers in 1 OU, a separate OU from all the
> client PCs. This Servers OU has it's own GPO (with blocked inheritance).
>
> My question: is there a way for this Servers GPO to be able to remove a
> Restricted Group, if it exists? This way, when we move a server machine
> account to the Servers OU, this LocalAdminsGroup won't exist as a member
> of the local Administrators group? I see references everywhere on how to
> add to the Restricted Group, but not how to remove it ...
> I don't want my field techs to have local admin access on the servers,
> only on the client PCs.
>
> Thanks
>
>
