question

Default-1573 avatar image
0 Votes"
Default-1573 asked LimitlessTechnology-2700 answered

Domain Controller Builtin\Administrators (Restricted Groups)

When working with Active Directory, does anyone know why Restricted Groups within Group Policy cannot be used to add a group to the Builtin\Administrators group on a domain controller?

I am able to use Restricted Groups to replace all the groups and add the ones I want but I cannot use it to add a group to Builtin\Administrators on the domain controller.

No other policies are overwriting this.


windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
1 Vote"
cthivierge answered Default-1573 commented

Both are working well

133628-group5.png


133674-group6.png



group5.png (22.9 KiB)
group6.png (58.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hm, do you know any thing that would stop this from working or conflict\overwrite this policy in anyway? I tried to do exactly what you just did and couldn't get it to work.

0 Votes 0 ·

I see my mistake, thank you.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

When a restricted group policy is enforced, any current member of a restricted group that isn't on the Members list is removed, except for the administrator in the Administrators group. Any user on the Members list that isn't currently a member of the restricted group is added.

Only inclusion is enforced in this portion of a restricted group policy. The restricted group isn't removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.

While Builtin\Administrators denotes the Administrators of Local Group, on machine server.

Do follow the below link to get to know further

https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/description-of-group-policy-restricted-groups

Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered Default-1573 commented

I think it should work. It's working in my lab environment.


Here's my GPO and where it's linked

133635-group1.png


133636-group2.png


133665-group3.png


133569-group4.png



group1.png (24.0 KiB)
group2.png (9.3 KiB)
group3.png (12.9 KiB)
group4.png (64.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You are doing a replace. Try specifying the groups individually and making those groups a member of Administrators e.g. :GRP_01 This groups is a member: of Administrators". Doing it this way is what is not working for me.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Default-1573

Additionally,

This is because once you promote a computer to Domain Controller, all the local security groups are "migrated" to domain groups, and the local Administrators group is removed. This is due to the local SAM database usage, but there is a very good explanation in this post:

https://social.technet.microsoft.com/Forums/exchange/en-US/91294fdf-1565-4861-bf23-ba62937f1c11/what-happens-to-local-users-and-groups-after-a-computer-joined-a-domain?forum=winservergen

Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.