Restricted Groups applying to specific global groups
j-man
Member Posts: 143
I'm missing something simple and it is driving me crazy.
I have an OU that needs to have the managers all have local administrator access. Simple, I says. Create a GPO that adds the global group to the computers local administrators group, link it to the OU and then set security filtering to only apply for the managers security group. Nope. Tried creating a global group that contained all accounts that aren't in the managers group and denying them apply group policy in the Delegation tab for the group policy and nothing.
What am I missing? Can this not be done?
I have an OU that needs to have the managers all have local administrator access. Simple, I says. Create a GPO that adds the global group to the computers local administrators group, link it to the OU and then set security filtering to only apply for the managers security group. Nope. Tried creating a global group that contained all accounts that aren't in the managers group and denying them apply group policy in the Delegation tab for the group policy and nothing.
What am I missing? Can this not be done?
Comments
-
iBrokeIT
Member Posts: 1,318 ■■■■■■■■■□
You are making this way too complicated.
Create a new security group and add the users you want then apply permissions for that group.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
j-man
Member Posts: 143
Everyone in the Managers group will need to be members of the Local Administrators group on every computer they log on to and when they log off, standard Local Administrator group members apply (administrators, domain/domain admins). Sorry if that wasn't clear.
I wish I was the one making this complicated because then it wouldn't be complicated.
Thanks for the reply and sorry for the late response but things are absolutely crazy at work. -
elTorito
Member Posts: 102
The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.
To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.
Edit: I wouldn't recommend making anyone local administrator, especially not managers
WIP: CISSP, MCSE Server Infrastructure
Casual reading: CCNP, Windows Sysinternals Administrator's Reference, Network Warrior -
OctalDump
Member Posts: 1,722
Edit: I wouldn't recommend making anyone local administrator, especially not managers
I second that. Also what you said about actually achieving a solution. But mostly, the bit about restricting local administrator access tightly.2017 Goals - Something Cisco, Something Linux, Agile PM -
j-man
Member Posts: 143
Thank you gentlemen. Again, sorry to be late with a reply.
The situation has been worked out. I don't know why this was such an issue and made to be more complicated than it needed to be in the first place but that is what happens sometimes.
Onward and upward (I guess) -
nachodba
Member Posts: 201 ■■■□□□□□□□
The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.
To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.
This x 100.2020 Goals
work-life balance
