Question : Restricted Groups - Group Policy GRRR!!!!!!!

Hi All,

Wondering if someone can shed some light on group policies for me. What I am attempting to do is give a certain group of users in a lab local admin rights so they can add and remove hardware and drivers. Easy right. Wrong!!

What I have done is create an OU in Active Directory and create a group policy. Through "Computer Config\Windows Settings\Security Settings\Restricted Groups" I have added the group name Administrators (which is local administrators group) and added the securtiy group (the one I want to have admin rights) to the members section of this key. I replicate the group policy to both Domain controlers and refresh the group policy on the workstation, check the local administrators group and the domain group I wanted to add is a member of the local administrators group. Okay everything seems to be hunky dory, so I log on as a student that is a member of the group in question plug in my webcam, nothing happens, and when I try to access the device manager I get an error telling me I do not have privileges to add or remove hardware. Grrrr!!!

The Domain group that I am adding comes from one of our child domains which the domain controller resides in our DMZ, and the group policy is applied through the root domain (don't think this should affect anything). But if I go to a machine log on as a local administrator add the group from the child domain the the local administrators group manually, it works fine it just seems to be when I add it through group policy that I encounter the problems.

Doe anyone have any ideas or ever encounted anything similar.

Thanks in advance

Answer : Restricted Groups - Group Policy GRRR!!!!!!!

"The Domain group that I am adding comes from one of our child domains which the domain controller resides in our DMZ, and the group policy is applied through the root domain (don't think this should affect anything)."

Where are the computers? child or root? If child, create the policy in the Child domain (or import it)

Policies should never traverse domains (i.e. be linked from domain to domain). Either create the policy in the domain that contains the object or if the policy is to be applied in both domains then create two policies and apply them the domain level in each domain. For one thing it is a performance issue and for another some policies can't even traverse domains (password length etc. because a domain is a security boundary) But in this case the firewall could (and definately should IMHO) filter all but the required packets/ports out.

Random Solutions

winxp home and winxp pro cannot share shared folders

DOMAIN MASTER Browser - What are the RIGHT settings and the best practices?

How to check if a Windows PC is using a dynamic or static IP address from user end

No network provider accepted the given network path - not by name or ip

Wireless LAN Security: 802.1x or web-based authentication

Is it possible to know *all* the domain names owned by a person using WHOIS or similar services?

DNS Scavenging Not working

NBTSTAT not returning netbios names

Adding WAP support