“Once everything gets the updated GPO it should remove the group from local admin on the servers.”
The issue is that the Restricted Group setting tattooes the Registry (unless something has changed over the years), which I believe is why Michael had the problem even after moving servers to an OU which was blocking inheritance (thus not getting the policy that included the Restricted Group setting). *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Boyles, Peter J {BIS} *Sent:* Tuesday, June 30, 2015 12:05 PM *To:* [email protected] *Subject:* RE: [NTSysADM] Removing a Restricted Group via GPO The cleanest solution is to remove the setting from the default GPO and move it to a GPO that only impacts client systems. Once everything gets the updated GPO it should remove the group from local admin on the servers. Anything else has a multitude of other potential issues and will complicate determining what the RSOP is for a specific group of computers. Peter Boyles BIS Engineering Analyst PepsiCo Inc. | Global End User Services | GEUS Deploy SM: Issues: GEUS DEVICE L2 SUPPORT Requests: MIGRATION AND DISTRIBUTION Office: (972) 963-6578 | E-Mail: [email protected] -----Original Message----- From: [email protected] [mailto:[email protected] <[email protected]>] On Behalf Of Michael Leone Sent: Tuesday, June 30, 2015 10:00 AM To: [email protected] Subject: Re: [NTSysADM] Removing a Restricted Group via GPO On Tue, Jun 30, 2015 at 10:40 AM, Miller Bonnie L. <[email protected]> wrote: > If you set a different restricted groups policy at the servers level it will override, but it would have to contain those settings/groups you want. That's just it - I don't have any group I want for the servers, instead. I really don't want to make an empty AD group, just so I have something different to use for this one GPO, so that it will (effectively) remove the one I want, and instead leave one I also don't want but which isn't a threat ... > We don't set ours at default domain policy as computers never land anywhere but in an OU (we've redirected the default containers). Instead, we link the policies up at the ous, including something different at servers level (under another ou structure). Yeah, ours should be in the GPO for the client computers. I didn't make this change to the default domain policy, tho, I only heard about it today, when the boss complained about finding a domain group in a servers local administrators group. :-) > > -----Original Message----- > From: [email protected] [ mailto:[email protected] <[email protected]>] On Behalf Of Michael Leone > Sent: Tuesday, June 30, 2015 7:12 AM > To: [email protected] > Subject: [NTSysADM] Removing a Restricted Group via GPO > > In our Default Domain Policy, we have a Restricted Group. This is a domain group of users we want to be local admins on all PCs (such as my field techs). This is all set up and working. > > Here's the problem - since this is part of the Default Domain Policy, > *every* computer joined to the domain gets this setting, including ones that shouldn't (such as servers). > > Now, we keep all our various servers in 1 OU, a separate OU from all the client PCs. This Servers OU has it's own GPO (with blocked inheritance). > > My question: is there a way for this Servers GPO to be able to remove a Restricted Group, if it exists? This way, when we move a server machine account to the Servers OU, this LocalAdminsGroup won't exist as a member of the local Administrators group? I see references everywhere on how to add to the Restricted Group, but not how to remove it ... > I don't want my field techs to have local admin access on the servers, only on the client PCs. > > Thanks > >
