Both are working well
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
When working with Active Directory, does anyone know why Restricted Groups within Group Policy cannot be used to add a group to the Builtin\Administrators group on a domain controller?
I am able to use Restricted Groups to replace all the groups and add the ones I want but I cannot use it to add a group to Builtin\Administrators on the domain controller.
No other policies are overwriting this.
Both are working well
Hello,
When a restricted group policy is enforced, any current member of a restricted group that isn't on the Members list is removed, except for the administrator in the Administrators group. Any user on the Members list that isn't currently a member of the restricted group is added.
Only inclusion is enforced in this portion of a restricted group policy. The restricted group isn't removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.
While Builtin\Administrators denotes the Administrators of Local Group, on machine server.
Do follow the below link to get to know further
Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )
I think it should work. It's working in my lab environment.
Here's my GPO and where it's linked
Hello @Anonymous
Additionally,
This is because once you promote a computer to Domain Controller, all the local security groups are "migrated" to domain groups, and the local Administrators group is removed. This is due to the local SAM database usage, but there is a very good explanation in this post:
Best regards,