June 2004

Restricted Groups Policy

From the June 2004 Edition
of Windows IT Pro
Readers
Reader to Reader
InstantDoc #42527
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

A site administrator recently contacted me with a problem that developed after he used a Restricted Groups policy to lock down the local Administrators group. The administrator accounts from resource domains were being randomly added to the local Administrators group on the administrator's client machines. Some machines that the Restricted Groups policy affected showed trusted domain administrator accounts such as ResDom1\Administrator and Res-Dom2\Administrator. The local Administrators group also correctly showed global groups that the administrator had added to the Restricted Group Policy list from the machine's domain. The administrator account listed was random and changed with machine reboots.

I contacted Microsoft and learned that Group Policy is applied to clients through a policy template file. Active Directory (AD) compiles the settings you configure in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in into a plain text file that you can use any text editor to read. This file copies to the client's \%systemroot%\security\templates\policies folder; the client then applies the settings at machine start-up and every 90 minutes thereafter (by default). The default domain policy ends in *.dom; other policies that apply to the machine end in *.inf.

When I checked the policy files on one of the problem machines, I found the text that Figure 1 shows. The second line in Figure 1 shows that the local machine's administrator account is renamed localadmin. The third line shows that a Restricted Groups policy is in place. In the fourth line, S-1-5-32-544 is the local Administrators group's SID. The fifth line shows the users and groups that the Restricted Groups policy specifies.

The policy file information helped me find the problem's cause. When the administrator applied the policy to restrict the local Administrators group during machine start-up or policy refresh, the machine added the SID values correctly but couldn't resolve the name administrator in the .inf file because the machine didn't have an account called administrator in the local SAM. In addition, I had renamed the administrator account on the domain the machine was a member of. The client machine couldn't resolve the name administrator against its SAM or its domain and was passing the name to the trusted domain list. The first resource domain that had an account named administrator responded with that account's SID. The account was then added to the local Administrators group. This process repeated during each policy refresh.

You don't need to specifically add the local administrator account to the local Administrators group when using Restricted Groups policies. You can't remove this account from this group; the account is a group member by default. The problem we encountered occurred because the site administrator used the free text field to add the names of users and groups rather than browsing to the user or group in AD. To prevent this problem, use the Browse button when you add users and groups to a Restricted Groups policy. The Active Directory Users and Computers snap-in will then resolve the name of the user or group to the SID you want to add. Removing the word administrator from the Restricted Groups policy solved the problem.

—John A. Rolstead
rolstead@hotmail.com

End of Article

Windows IT Pro Community
Blogs





Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events Troubleshooting Active Directory

Deep Dive into Windows Server 2008 R2 presented by John Savill

Troubleshooting Group Policy, eLearning series

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections asp.netPRO ITTV
IT Library Technology Resource Directory Connected Home Windows SuperSite
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc.     Terms of Use | Privacy Statement