Sign in with
Sign up | Sign in
Your question

Local Group Membership not Persistent

Last response: in Windows 2000/NT
Share
July 19, 2004 2:16:01 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

When I add Domain Users to a local group (say Power Users) the setting is not there after the workstation restarts. I have searched through the AD Policy settings on the w2k SBS and can't find anything which might be resetting this. The default AD Group Policy settings are all 'not configured'. There are no other Policies further down the AD tree. Two questions:
1. How can I permanently add Domain Users to a local group?
2. If I have an application which requires local permissions to run what is best practice for providing this?
Any help gratefully received!
Cheers,
Bill
Anonymous
July 19, 2004 2:12:55 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Sun, 18 Jul 2004 22:16:01 -0700, "Bill" <Bill@discussions.microsoft.com>
wrote:

>When I add Domain Users to a local group (say Power Users) the setting is not there after the workstation restarts. I have searched through the AD Policy settings on the w2k SBS and can't find anything which might be resetting this. The default AD Group Policy settings are all 'not configured'. There are no other Policies further down the AD tree. Two questions:
>1. How can I permanently add Domain Users to a local group?
>2. If I have an application which requires local permissions to run what is best practice for providing this?
>Any help gratefully received!
>Cheers,
>Bill


How are you adding them?

On the local machine, try:

net localgroup "Power Users" "DomainName\UserName" /add


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
July 19, 2004 6:47:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for your response Jerold.
Logged in as local Administrator, I added them using Computer Management, Local Users and Groups, Right-click on <group>, Add to Group, Add, then selecting domain user group or role, e.g. Domain Users or Authenticated Users.
Cheers,
Bill

"Jerold Schulman" wrote:

> On Sun, 18 Jul 2004 22:16:01 -0700, "Bill" <Bill@discussions.microsoft.com>
> wrote:
>
> >When I add Domain Users to a local group (say Power Users) the setting is not there after the workstation restarts. I have searched through the AD Policy settings on the w2k SBS and can't find anything which might be resetting this. The default AD Group Policy settings are all 'not configured'. There are no other Policies further down the AD tree. Two questions:
> >1. How can I permanently add Domain Users to a local group?
> >2. If I have an application which requires local permissions to run what is best practice for providing this?
> >Any help gratefully received!
> >Cheers,
> >Bill
>
>
> How are you adding them?
>
> On the local machine, try:
>
> net localgroup "Power Users" "DomainName\UserName" /add
>
>
> Jerold Schulman
> Windows: General MVP
> JSI, Inc.
> http://www.jsiinc.com
>
Related resources
Anonymous
July 20, 2004 2:46:12 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

It sounds like there might be a restricted group policy being applied to the
workstation. That would correspond to the accounts being removed when you
reboot the machine because the policy would be re-applied. I would suggest
checking any GPO's that would apply to the machine for restricted group
policies for the groups you are interested in.

You can check which policies you are getting security settings from by
running "gpresult /v" at a command prompt.

The policy of interest would be in the following path:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

295771 SMS: A "Restricted Group" Policy May Prevent SMS Clients from Being
http://support.microsoft.com/?id=295771

320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
2000
http://support.microsoft.com/?id=320045


--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

"Bill" <Bill@discussions.microsoft.com> wrote in message
news:D F4E6C23-AB4C-415D-9764-E1F0CCA34DF0@microsoft.com...
> Thanks for your response Jerold.
> Logged in as local Administrator, I added them using Computer Management,
Local Users and Groups, Right-click on <group>, Add to Group, Add, then
selecting domain user group or role, e.g. Domain Users or Authenticated
Users.
> Cheers,
> Bill
>
> "Jerold Schulman" wrote:
>
> > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
<Bill@discussions.microsoft.com>
> > wrote:
> >
> > >When I add Domain Users to a local group (say Power Users) the setting
is not there after the workstation restarts. I have searched through the AD
Policy settings on the w2k SBS and can't find anything which might be
resetting this. The default AD Group Policy settings are all 'not
configured'. There are no other Policies further down the AD tree. Two
questions:
> > >1. How can I permanently add Domain Users to a local group?
> > >2. If I have an application which requires local permissions to run
what is best practice for providing this?
> > >Any help gratefully received!
> > >Cheers,
> > >Bill
> >
> >
> > How are you adding them?
> >
> > On the local machine, try:
> >
> > net localgroup "Power Users" "DomainName\UserName" /add
> >
> >
> > Jerold Schulman
> > Windows: General MVP
> > JSI, Inc.
> > http://www.jsiinc.com
> >
Anonymous
July 20, 2004 12:24:04 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Jerold,
I will try adding them as you have suggested and see what happens.
Cheers,
Bill
--


---------------------------------------------------------------------
"Are you still wasting your time with spam?...
There is a solution!"

Protected by GIANT Company's Spam Inspector
The most powerful anti-spam software available.
http://mail.spaminspector.com


"Jerold Schulman" <Jerry@jsiinc.com> wrote in message
news:3llnf01d548k98t4kjg25003iffge5lm8p@4ax.com...
> On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
<Bill@discussions.microsoft.com>
> wrote:
>
> >When I add Domain Users to a local group (say Power Users) the setting is
not there after the workstation restarts. I have searched through the AD
Policy settings on the w2k SBS and can't find anything which might be
resetting this. The default AD Group Policy settings are all 'not
configured'. There are no other Policies further down the AD tree. Two
questions:
> >1. How can I permanently add Domain Users to a local group?
> >2. If I have an application which requires local permissions to run what
is best practice for providing this?
> >Any help gratefully received!
> >Cheers,
> >Bill
>
>
> How are you adding them?
>
> On the local machine, try:
>
> net localgroup "Power Users" "DomainName\UserName" /add
>
>
> Jerold Schulman
> Windows: General MVP
> JSI, Inc.
> http://www.jsiinc.com
Anonymous
July 21, 2004 1:45:09 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks, Gary.
I will have a look at gpresult and see what it tells me and read the
references you have given me. I guess you can tell I am new to Group Policy?
Cheers,
Bill

--


---------------------------------------------------------------------
"Are you still wasting your time with spam?...
There is a solution!"

Protected by GIANT Company's Spam Inspector
The most powerful anti-spam software available.
http://mail.spaminspector.com


"Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
news:uo4J6OgbEHA.2816@TK2MSFTNGP11.phx.gbl...
> It sounds like there might be a restricted group policy being applied to
the
> workstation. That would correspond to the accounts being removed when you
> reboot the machine because the policy would be re-applied. I would
suggest
> checking any GPO's that would apply to the machine for restricted group
> policies for the groups you are interested in.
>
> You can check which policies you are getting security settings from by
> running "gpresult /v" at a command prompt.
>
> The policy of interest would be in the following path:
> Computer Configuration\Windows Settings\Security Settings\Restricted
Groups
>
> 295771 SMS: A "Restricted Group" Policy May Prevent SMS Clients from Being
> http://support.microsoft.com/?id=295771
>
> 320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
> 2000
> http://support.microsoft.com/?id=320045
>
>
> --
> Gary Mudgett, MCSE, MCSA
> Windows 2000/2003 Directory Services
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Bill" <Bill@discussions.microsoft.com> wrote in message
> news:D F4E6C23-AB4C-415D-9764-E1F0CCA34DF0@microsoft.com...
> > Thanks for your response Jerold.
> > Logged in as local Administrator, I added them using Computer
Management,
> Local Users and Groups, Right-click on <group>, Add to Group, Add, then
> selecting domain user group or role, e.g. Domain Users or Authenticated
> Users.
> > Cheers,
> > Bill
> >
> > "Jerold Schulman" wrote:
> >
> > > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
> <Bill@discussions.microsoft.com>
> > > wrote:
> > >
> > > >When I add Domain Users to a local group (say Power Users) the
setting
> is not there after the workstation restarts. I have searched through the
AD
> Policy settings on the w2k SBS and can't find anything which might be
> resetting this. The default AD Group Policy settings are all 'not
> configured'. There are no other Policies further down the AD tree. Two
> questions:
> > > >1. How can I permanently add Domain Users to a local group?
> > > >2. If I have an application which requires local permissions to run
> what is best practice for providing this?
> > > >Any help gratefully received!
> > > >Cheers,
> > > >Bill
> > >
> > >
> > > How are you adding them?
> > >
> > > On the local machine, try:
> > >
> > > net localgroup "Power Users" "DomainName\UserName" /add
> > >
> > >
> > > Jerold Schulman
> > > Windows: General MVP
> > > JSI, Inc.
> > > http://www.jsiinc.com
> > >
>
>
Anonymous
July 21, 2004 1:45:10 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That is fine. I hope the information helps!

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

"Bill Glidden" <bglidden@bigpong.net> wrote in message
news:u6ad96kbEHA.3524@TK2MSFTNGP12.phx.gbl...
> Thanks, Gary.
> I will have a look at gpresult and see what it tells me and read the
> references you have given me. I guess you can tell I am new to Group
Policy?
> Cheers,
> Bill
>
> --
>
>
> ---------------------------------------------------------------------
> "Are you still wasting your time with spam?...
> There is a solution!"
>
> Protected by GIANT Company's Spam Inspector
> The most powerful anti-spam software available.
> http://mail.spaminspector.com
>
>
> "Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
> news:uo4J6OgbEHA.2816@TK2MSFTNGP11.phx.gbl...
> > It sounds like there might be a restricted group policy being applied to
> the
> > workstation. That would correspond to the accounts being removed when
you
> > reboot the machine because the policy would be re-applied. I would
> suggest
> > checking any GPO's that would apply to the machine for restricted group
> > policies for the groups you are interested in.
> >
> > You can check which policies you are getting security settings from by
> > running "gpresult /v" at a command prompt.
> >
> > The policy of interest would be in the following path:
> > Computer Configuration\Windows Settings\Security Settings\Restricted
> Groups
> >
> > 295771 SMS: A "Restricted Group" Policy May Prevent SMS Clients from
Being
> > http://support.microsoft.com/?id=295771
> >
> > 320045 HOW TO: Restrict Group Membership By Using Group Policy in
Windows
> > 2000
> > http://support.microsoft.com/?id=320045
> >
> >
> > --
> > Gary Mudgett, MCSE, MCSA
> > Windows 2000/2003 Directory Services
> >
> > =====================================================
> > When responding to posts, please "Reply to Group" via
> > your newsreader so that others may learn and benefit
> > from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "Bill" <Bill@discussions.microsoft.com> wrote in message
> > news:D F4E6C23-AB4C-415D-9764-E1F0CCA34DF0@microsoft.com...
> > > Thanks for your response Jerold.
> > > Logged in as local Administrator, I added them using Computer
> Management,
> > Local Users and Groups, Right-click on <group>, Add to Group, Add, then
> > selecting domain user group or role, e.g. Domain Users or Authenticated
> > Users.
> > > Cheers,
> > > Bill
> > >
> > > "Jerold Schulman" wrote:
> > >
> > > > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
> > <Bill@discussions.microsoft.com>
> > > > wrote:
> > > >
> > > > >When I add Domain Users to a local group (say Power Users) the
> setting
> > is not there after the workstation restarts. I have searched through
the
> AD
> > Policy settings on the w2k SBS and can't find anything which might be
> > resetting this. The default AD Group Policy settings are all 'not
> > configured'. There are no other Policies further down the AD tree. Two
> > questions:
> > > > >1. How can I permanently add Domain Users to a local group?
> > > > >2. If I have an application which requires local permissions to run
> > what is best practice for providing this?
> > > > >Any help gratefully received!
> > > > >Cheers,
> > > > >Bill
> > > >
> > > >
> > > > How are you adding them?
> > > >
> > > > On the local machine, try:
> > > >
> > > > net localgroup "Power Users" "DomainName\UserName" /add
> > > >
> > > >
> > > > Jerold Schulman
> > > > Windows: General MVP
> > > > JSI, Inc.
> > > > http://www.jsiinc.com
> > > >
> >
> >
>
>
!