Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Restricted Groups Propagating to Most but not All Users...
Restricted Groups Propagating to Most but not All Users... [message #156557] Fri, 19 June 2009 08:28 Go to next message
Wes H  is currently offline Wes H
Messages: 6
Registered: June 2009
Junior Member
This is weird, so I created an AD security called LocalAdmin and put a couple
people I wanted to give local admin rights to into that group. I then went
into the Default Domain Policy and under computer/security/restricted groups
I created a new one and used the "member of " way so it wouldn't remove
anything. I made my new AD group called LocalAdmins and member of
"administrators" group. Now, this worked for about 95% of the organization
(it took like 2 days), but there were a handful of computers that I had to
manually do a GPUPdate /force on to get it to work. Why would that be? I
looked and these computers are in the same OU as some other ones that worked.
Any ideas?

-Wes
Re: Restricted Groups Propagating to Most but not All Users... [message #156558 is a reply to message #156557] Fri, 19 June 2009 09:04 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Wes - this is not expected - since security settings should be applied to
domain member computers every 16 hours... Do you see event 1704 in the
Application event log on those clients? Is there any chance that they were
off the network during the refresh interval? If not, I'd suggest following
standard GPO troubleshooting methods - as described in
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx

hth
Marcin

"Wes H" <WesH@discussions.microsoft.com> wrote in message
news:55AA05D0-1872-4F97-B027-5273935D6D41@microsoft.com...
> This is weird, so I created an AD security called LocalAdmin and put a
> couple
> people I wanted to give local admin rights to into that group. I then
> went
> into the Default Domain Policy and under computer/security/restricted
> groups
> I created a new one and used the "member of " way so it wouldn't remove
> anything. I made my new AD group called LocalAdmins and member of
> "administrators" group. Now, this worked for about 95% of the
> organization
> (it took like 2 days), but there were a handful of computers that I had to
> manually do a GPUPdate /force on to get it to work. Why would that be? I
> looked and these computers are in the same OU as some other ones that
> worked.
> Any ideas?
>
> -Wes
Re: Restricted Groups Propagating to Most but not All Users... [message #156561 is a reply to message #156558] Fri, 19 June 2009 10:04 Go to previous messageGo to next message
Wes H  is currently offline Wes H
Messages: 6
Registered: June 2009
Junior Member
Thanks for the reply. Ok, I checked the event viewer on the PC in questions,
and she had 1704's in there for days, so she was getting the updates. It was
just that I had to manually do a gpupdate /force for them to apply??? That
is bizzare. Do you think this is because I put it into the default domain
policy? Why would almost all other users get them?

-Wes


"Marcin" wrote:

> Wes - this is not expected - since security settings should be applied to
> domain member computers every 16 hours... Do you see event 1704 in the
> Application event log on those clients? Is there any chance that they were
> off the network during the refresh interval? If not, I'd suggest following
> standard GPO troubleshooting methods - as described in
> http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
>
> hth
> Marcin
>
> "Wes H" <WesH@discussions.microsoft.com> wrote in message
> news:55AA05D0-1872-4F97-B027-5273935D6D41@microsoft.com...
> > This is weird, so I created an AD security called LocalAdmin and put a
> > couple
> > people I wanted to give local admin rights to into that group. I then
> > went
> > into the Default Domain Policy and under computer/security/restricted
> > groups
> > I created a new one and used the "member of " way so it wouldn't remove
> > anything. I made my new AD group called LocalAdmins and member of
> > "administrators" group. Now, this worked for about 95% of the
> > organization
> > (it took like 2 days), but there were a handful of computers that I had to
> > manually do a GPUPdate /force on to get it to work. Why would that be? I
> > looked and these computers are in the same OU as some other ones that
> > worked.
> > Any ideas?
> >
> > -Wes
>
>
>
Re: Restricted Groups Propagating to Most but not All Users... [message #156564 is a reply to message #156561] Fri, 19 June 2009 10:47 Go to previous message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Wes,
modifying the Default Domain Policy in general is not a good idea - so I'd
avoid it in the future, but I don't see a reason why this would cause the
issue you are describing. You can use the link I provided to troubleshoot it
further...

hth
Marcin

"Wes H" <WesH@discussions.microsoft.com> wrote in message
news:8AA57DDE-913E-42BC-9A0F-DD21E562FB0C@microsoft.com...
> Thanks for the reply. Ok, I checked the event viewer on the PC in
> questions,
> and she had 1704's in there for days, so she was getting the updates. It
> was
> just that I had to manually do a gpupdate /force for them to apply???
> That
> is bizzare. Do you think this is because I put it into the default domain
> policy? Why would almost all other users get them?
>
> -Wes
>
>
> "Marcin" wrote:
>
>> Wes - this is not expected - since security settings should be applied to
>> domain member computers every 16 hours... Do you see event 1704 in the
>> Application event log on those clients? Is there any chance that they
>> were
>> off the network during the refresh interval? If not, I'd suggest
>> following
>> standard GPO troubleshooting methods - as described in
>> http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
>>
>> hth
>> Marcin
>>
>> "Wes H" <WesH@discussions.microsoft.com> wrote in message
>> news:55AA05D0-1872-4F97-B027-5273935D6D41@microsoft.com...
>> > This is weird, so I created an AD security called LocalAdmin and put a
>> > couple
>> > people I wanted to give local admin rights to into that group. I then
>> > went
>> > into the Default Domain Policy and under computer/security/restricted
>> > groups
>> > I created a new one and used the "member of " way so it wouldn't remove
>> > anything. I made my new AD group called LocalAdmins and member of
>> > "administrators" group. Now, this worked for about 95% of the
>> > organization
>> > (it took like 2 days), but there were a handful of computers that I had
>> > to
>> > manually do a GPUPdate /force on to get it to work. Why would that be?
>> > I
>> > looked and these computers are in the same OU as some other ones that
>> > worked.
>> > Any ideas?
>> >
>> > -Wes
>>
>>
>>
Previous Topic:Adm Template - Disable XP tour at first logon
Next Topic:Server needs to logon to preferred DC
Goto Forum:
  


Current Time: Fri Oct 20 10:12:29 EDT 2017

Total time taken to generate the page: 0.02791 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software