Active Directory Restricted Group confusion
Posted
by
pepoluan
on Server Fault
See other posts from Server Fault
or by pepoluan
Published on 2012-04-04T08:01:22Z
Indexed on
2012/04/04
11:31 UTC
Read the original article
Hit count: 437
active-directory
|group-policy
I am trying to implement Restricted Group policy for my company's AD infrastructure, namely standardizing the local "Administrators" group. The documentation (and various webpages) said that the "Members of this group" policy will wipe out the "Administrators" group. However, an experiment made me confused:
I created 2 GPOs:
- GPO-A replaces the Local Administrators with a list of domain users (e.g., "Alice" and "Bob")
- GPO-B inserts a domain user (e.g., "Charlie" -- not part of GPO A) into the Local Administrators
Experiment 1: GPO-A gets applied first (link order 2)
Everything happens as expected: GPO-A cleans out Local Admins and add "Alice" & "Bob" gets added; GPO-B adds "Charlie".
Experiment 2: GPO-B is applied first
What happens:
- "Charlie" gets added to the Local Admins group (which also contains 2 local users)
- The local users on the PC gets deleted, and "Alice" and "Bob" gets added.
- Result: Local Admins contain "Alice", "Bob", and "Charlie"
My confusion: In Experiment 2, I thought GPO-A will totally erase the Local Admins group, including users added by GPO-B (since GPO-A gets applied after GPO-B). As it happens, it only erase local users from the Local Admins, but keeps the domain users.
So, is that the way it should be? Or am I doing something incorrectly?
© Server Fault or respective owner