You should be able to accomplish this by using a WMI filter to restrict the OS,
or possibly with item level targeting if it's available for the things you're
doing, so that it excludes the server OU.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Leone
Sent: Tuesday, June 30, 2015 10:12 AM
To: [email protected]
Subject: [NTSysADM] Removing a Restricted Group via GPO
In our Default Domain Policy, we have a Restricted Group. This is a domain
group of users we want to be local admins on all PCs (such as my field techs).
This is all set up and working.
Here's the problem - since this is part of the Default Domain Policy,
*every* computer joined to the domain gets this setting, including ones that
shouldn't (such as servers).
Now, we keep all our various servers in 1 OU, a separate OU from all the client
PCs. This Servers OU has it's own GPO (with blocked inheritance).
My question: is there a way for this Servers GPO to be able to remove a
Restricted Group, if it exists? This way, when we move a server machine account
to the Servers OU, this LocalAdminsGroup won't exist as a member of the local
Administrators group? I see references everywhere on how to add to the
Restricted Group, but not how to remove it ...
I don't want my field techs to have local admin access on the servers, only on
the client PCs.
Thanks
