Restricted Groups applying to specific global groups

I'm missing something simple and it is driving me crazy.

I have an OU that needs to have the managers all have local administrator access. Simple, I says. Create a GPO that adds the global group to the computers local administrators group, link it to the OU and then set security filtering to only apply for the managers security group. Nope. Tried creating a global group that contained all accounts that aren't in the managers group and denying them apply group policy in the Delegation tab for the group policy and nothing.

What am I missing? Can this not be done?

Comments

  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,308 ■■■■■■■■■□
    You are making this way too complicated.

    Create a new security group and add the users you want then apply permissions for that group.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • j-manj-man Member Posts: 143
    Everyone in the Managers group will need to be members of the Local Administrators group on every computer they log on to and when they log off, standard Local Administrator group members apply (administrators, domain/domain admins). Sorry if that wasn't clear.

    I wish I was the one making this complicated because then it wouldn't be complicated.

    Thanks for the reply and sorry for the late response but things are absolutely crazy at work.
  • elToritoelTorito Member Posts: 102
    The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.

    To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.

    Edit: I wouldn't recommend making anyone local administrator, especially not managers icon_wink.gif
    WIP: CISSP, MCSE Server Infrastructure
    Casual reading: CCNP, Windows Sysinternals Administrator's Reference, Network Warrior


  • OctalDumpOctalDump Member Posts: 1,722
    elTorito wrote: »
    Edit: I wouldn't recommend making anyone local administrator, especially not managers icon_wink.gif

    I second that. Also what you said about actually achieving a solution. But mostly, the bit about restricting local administrator access tightly.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • j-manj-man Member Posts: 143
    Thank you gentlemen. Again, sorry to be late with a reply.

    The situation has been worked out. I don't know why this was such an issue and made to be more complicated than it needed to be in the first place but that is what happens sometimes.

    Onward and upward (I guess)
  • nachodbanachodba USMember Posts: 201 ■■■□□□□□□□
    elTorito wrote: »
    The restricted groups policy is a Computer Configuration setting. As such, you cannot scope it to a user.

    To achieve what you have in mind, create a GPO (or use an existing GPO), configure the DOMAIN\Managers security group to be a Member Of of "Administrators" in the Restricted Groups node, then scope the GPO to the OU that contains your domain computers. The result will be that the Managers group is added to the local administrators group on top of existing memberships, such as .\administrator and Domain Admins.

    This x 100.
    2020 Goals
    work-life balance
Sign In or Register to comment.