On Tue, Jun 30, 2015 at 11:23 AM, Charles F Sullivan <[email protected]> wrote: > Unless I'm misunderstanding, this is the answer: > > You said the servers OU is blocking inheritance, so already the Restricted > Group setting won't apply, which I'm sure you already know, but.... > > I assume you're referencing to the issue where Restricted Groups are > tattooed onto the Registry, so when you move a server into the Servers OU, > it still has the group as a member of Administrators. To resolve that, set a > Group Policy Preference Local Users and Groups setting.... > > Action: Update > Group Name: Administrators (built-in) > Members section: > Name: <domain>\<groupyouwanttoremove> > Action: REMOVE
Yes! That worked; it removed that domain group from the Local Administrators Group on a test server (I keep a testing OU and GPO for just such times ...) Thanks!
