question

MartinClark-6263 avatar image
0 Votes"
MartinClark-6263 asked cthivierge answered

Restricted group GPO still inheriting other groups from other GPOs

I have created a new OU in our domain and placed several servers within
I have linked a new GPO with a restricted groups policy to add two new groups to the local administrators group as members
Within the parent OU are several Restricted Groups which add groups to the local administrator group as member of

It seems that although I have a restricted group adding these two groups as members which should then be the only members of the administrators group, the other RG policies are also being added

Does anyone know why this is happening, I would assume that as the linked GPO to the new OU would be the winning GPO and clear all other entries to the local administrator group?

Many thanks

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

cthivierge avatar image
0 Votes"
cthivierge answered

Well... it depends how you have configured your restricted group within your GPO.

If you configure your Restricted group by selecting a domain group and then specify that domain group is member of this group and you specify the Administrators group, the GPO will only add this domain group to the local administrators group.

But if you create a group and you type Administrators and then you add domain users from the Members of this group section, in that case, this will overwrite all existing groups and only this configuration will be applied.

To make a quick review:

To add domain groups to the local Administrators group (without removing all other groups that may be present)
In Restricted Groups, click Add Group / Search for your Domain Group and click Ok
Then click add just beside "This group is member of:" and type Administrators"
And click Ok

To add domain group to the local Administrators group (And removing all other groups and users)
In Restricted Groups, click Add Group / type Administrators and click Ok
Then click add just beside "This group is member of:" and type Administrators"
And click Ok

But i did a few tests and it seems the is an issue with this... When the server apply GPO after a restart, the GPO's are applying correctly and only the winning GPO configuration apply (only the GPO with a local group and a domain group "Member of this group"

But if i manually run a "gpupdate /force" on the server, all other GPO's that are configured "This group is member of" are also applied...

If i run a rsop.msc, i have a message that said the GPO configured with "This group is member of" has an Red X cross and it says that the settings are not applied... but they are...

Hmmm... really weird...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.