1

Using Server 2012 r2 in domain environment, I'm trying to add specific groups of users to the Administrators(local)group to computers organized in OUs using GPP and item-level targeting.

While the GPO shows that it is applying(via gpresult), the Administrators group membership doesn't change. I've even placed a test OU at top of domain and disabled inheritance. I know I can use restricted groups, but it'll be a pain for the set of scopes we need. To test this, I've set restricted groups up in the same GPO and it works fine.
Long story short, can GPP's actually be used to set local Administrators membership?

Update: Testing has provided the following results;

  • In the OU tree if I have a restricted group set higher up, that change takes effect.

  • If I place a restricted group setting in the same GPO, that change takes effect. (Follows proper LSDOU order)

  • Most interesting part: When I try to use GPP, I can change the local Administrators group description but membership doesn't change.


I know that semi-recently(within last year or so) MS rolled out an update that disabled the ability to change local admin passwords via GPO, anyone know if it also broke this GPP ability too? Or alternatively, is anyone using this to set groups with an updated version of 2012 R2?

Ijustpressbuttons
  • 63
  • 6

1 Answers1

2

Make sure you choose the Administrators (built-in) option from the drop-down menu of the Group Policy Preference.

I have this configured at Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups with the Action set to "Update".

Josh
  • 427
  • 4
  • 13
  • Yep, that's what I'm doing except I'm using "Replace" instead. – Ijustpressbuttons Sep 24 '15 at 18:39
  • I would try setting it to Update, rather than Replace. – Josh Sep 24 '15 at 18:42
  • Replace is essentially the same as Update except you can set the item to be removed "when it's no longer applied". Anyway changed it for kicks and giggles and still nothing. – Ijustpressbuttons Sep 24 '15 at 18:54
  • Coming back to this, I have checked and I am able to use "Update" to make the changes. I must have had the Item-level targeting previously messed up. In retrospect, "Replace" cannot work because you can never remove the admin account from administrators, since "Replace" essentially purges and adds, it is impossible to apply to this group. Unfortunately, this doesn't explain why Policies can do this while Preferences can't, but it gives a solution. – Ijustpressbuttons Jan 06 '16 at 17:10
  • Glad to hear you got it all worked out. – Josh Jan 06 '16 at 17:12