The following scenario is weird. Please be advised.
I have created a GPO on an OU containing workstations like this:
This GPO purpose is to make the Backup Operators group a member of the local Administrators group on all the workstations inside the OU.
Here is the content of this GPO:
Then when I check if the GPO is applied using gpresult on a workstation inside the Organisational Unit (OU) on which the GPO is applied, I can see that it is correctly applied on that workstation:
But when I go check in the local group on the workstation, in the local Administrators group, I should see the Backup Operators group inside it, but no:
Even after a gpupdate /force followed by a reboot, I end up with the same result.
Have I done something wrong?
EDIT:
This is what I get in the Event Viewer after I do a gpudpate /force:
Security policies were propagated with warning. 0x4b8 : An extended
error has occurred.
For best results in resolving this event, log on with a
non-administrative account and search http://support.microsoft.com
for "Troubleshooting Event 1202's".
Heh, you're going to slap yourself !
"Backup Operators" is a built-in Domain Local security group.
As per my aging MCSE, a domain local security group cannot be a member of another group.
It is a so-called "endpoint" group and can only apply to DACLs and the like.
While I agree ultimately with @adaptr, this cannot be done, some clarification of terminology may be helpful.
You can create domain local security groups and nest them. It may depend on domain function level (ours is 2000, not very current) and it may depend on server version (we run 2003/2008R2) but it can be done.
However MS default builtin groups, both local and domain, have restricted nesting.
"You cannot add the default groups that are located in the Builtin container as members to other groups. However, you can add other groups as members to the default groups that are located in the Builtin container."
http://technet.microsoft.com/en-us/library/cc776499(WS.10).aspx
Both the Administrator and Backup Operators groups are in the domain Builtin OU, this would appear to apply to clients (local users and groups) as well.
Seems backwards to me. I've always added the "Administrators" group to the restricted groups GPO and added the appropriate members. Keep in mind, this will overwrite what's there so make sure you add domain admins back in.
Actually, is there another GPO that's adding Domain admins to the Administrators group? That could be overwriting this GPO if applied after. For example, the default domain policy.