Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled.... an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it).
If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted.
I guess I think of a GPO being a "Go make sure that everything is like this and if it isn't, make it like this" kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be.
On 7/26/06, Derek Harris <[EMAIL PROTECTED]> wrote:
Yes -- I've done that, and that's how it worked for me.
Subject: RE: [ActiveDir] Question on "restricted group" policy.This somewhat depends upon which side of Restricted Groups you're using (i.e. "Members of this Group" or "This group is a member of"). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy).DarrenDarren Mar-EliaFor comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Strongosky
Sent: Wednesday, July 26, 2006 4:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on "restricted group" policy.Hey,Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct...v/rjohn
