RE: [NTSysADM] Removing a Restricted Group via GPO

[Boyles, Peter J {BIS}]

The cleanest solution is to remove the setting from the default GPO and move it 
to a GPO that only impacts client systems.  Once everything gets the updated 
GPO it should remove the group from local admin on the servers.



Anything else has a multitude of other potential issues and will complicate 
determining what the RSOP is for a specific group of computers.





Peter Boyles

BIS Engineering Analyst

PepsiCo Inc. | Global End User Services | GEUS Deploy

SM:  Issues:  GEUS DEVICE L2 SUPPORT

          Requests:  MIGRATION AND DISTRIBUTION

Office: (972) 963-6578 | E-Mail:  peter.j.boy...@pepsico.com



-----Original Message-----
From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Michael Leone
Sent: Tuesday, June 30, 2015 10:00 AM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Removing a Restricted Group via GPO



On Tue, Jun 30, 2015 at 10:40 AM, Miller Bonnie L.

<mille...@mukilteo.wednet.edu<mailto:mille...@mukilteo.wednet.edu>> wrote:

> If you set a different restricted groups policy at the servers level it will 
> override, but it would have to contain those settings/groups you want.



That's just it - I don't have any group I want for the servers,

instead. I really don't want to make an empty AD group, just so I have

something different to use for this one GPO, so that it will

(effectively) remove the one I want, and instead leave one I also

don't want but which isn't a threat ...





> We don't set ours at default domain policy as computers never land anywhere 
> but in an OU (we've redirected the default containers).  Instead, we link the 
> policies up at the ous, including something different at servers level (under 
> another ou structure).



Yeah, ours should be in the GPO for the client computers. I didn't

make this change to the default domain policy, tho, I only heard about

it today, when the boss complained about finding a domain group in a

servers local administrators group. :-)





>

> -----Original Message-----

> From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael Leone

> Sent: Tuesday, June 30, 2015 7:12 AM

> To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>

> Subject: [NTSysADM] Removing a Restricted Group via GPO

>

> In our Default Domain Policy, we have a Restricted Group. This is a domain 
> group of users we want to be local admins on all PCs (such as my field 
> techs). This is all set up and working.

>

> Here's the problem - since this is part of the Default Domain Policy,

> *every* computer joined to the domain gets this setting, including ones that 
> shouldn't (such as servers).

>

> Now, we keep all our various servers in 1 OU, a separate OU from all the 
> client PCs. This Servers OU has it's own GPO (with blocked inheritance).

>

> My question: is there a way for this Servers GPO to be able to remove a 
> Restricted Group, if it exists? This way, when we move a server machine 
> account to the Servers OU, this LocalAdminsGroup won't exist as a member of 
> the local Administrators group? I see references everywhere on how to add to 
> the Restricted Group, but not how to remove it ...

> I don't want my field techs to have local admin access on the servers, only 
> on the client PCs.

>

> Thanks

>

>