Restricted Groups applying to specific global groups

I'm missing something simple and it is driving me crazy.

I have an OU that needs to have the managers all have local administrator access. Simple, I says. Create a GPO that adds the global group to the computers local administrators group, link it to the OU and then set security filtering to only apply for the managers security group. Nope. Tried creating a global group that contained all accounts that aren't in the managers group and denying them apply group policy in the Delegation tab for the group policy and nothing.

What am I missing? Can this not be done?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

iBrokeIT

You are making this way too complicated.

Create a new security group and add the users you want then apply permissions for that group.

j-man

Everyone in the Managers group will need to be members of the Local Administrators group on every computer they log on to and when they log off, standard Local Administrator group members apply (administrators, domain/domain admins). Sorry if that wasn't clear.

I wish I was the one making this complicated because then it wouldn't be complicated.

Thanks for the reply and sorry for the late response but things are absolutely crazy at work.

elTorito

The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.

To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.

Edit: I wouldn't recommend making anyone local administrator, especially not managers

OctalDump

elTorito wrote: »

Edit: I wouldn't recommend making anyone local administrator, especially not managers

I second that. Also what you said about actually achieving a solution. But mostly, the bit about restricting local administrator access tightly.

j-man

Thank you gentlemen. Again, sorry to be late with a reply.

The situation has been worked out. I don't know why this was such an issue and made to be more complicated than it needed to be in the first place but that is what happens sometimes.

Onward and upward (I guess)

nachodba

elTorito wrote: »

The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.

To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.

This x 100.