Restricted Groups Policy Stopped Working

[genistas]

Hi,

I'm running a Windows Server 2003 network with approx. 700 clients. For the last two years or so I've been using the Restricted Groups group policy to allow about 14 users in the 1200-user organization to be local administrators on the clients, mostly for the purpose of installing software. This has worked great up until about a month ago when suddenly these users were not allowed to install software. When I go to a client and check the local users and groups, all of these users are still in the Administrators group, however they are still prevented from installing programs, and I have to log in as administrator in order to do the installation.

My first thought was that a windows update on the clients might have caused this, but I have to admit that 90% of our clients haven't received an update in almost a year. Our servers however do receive regular updates.

Any thoughts?

Thanks!
-dan

I forgot to add that all of the clients are running Windows XP Pro, SP2, with a handful running SP3. The problem exists on both sp2 and sp3 machines.

 

[C0RR0SIVE]

Could there have been a local group policy set somehow?

 

[genistas]

I've looked into the local group policy on one of the machines in question and nothing was defined that would prevent local administrators from installing software.



thanks for the reply!

 

[office politics]

what happens when you try to install software?

error message would help diagnose.


check event viewer.

run gpresult to make sure group policy is being applied. However, any administrator should still be abel to install software

 

[genistas]

gpresult shows that policy is being applied from the server.

As far as messages go, when logged-in as a user with local admin rights, an attempt to install software prompts the "Run-as user" dialogue box, requiring the username and password of a user with rights to install software on this machine.

Another instance happened in an entire computer lab, when one of our users with install rights tried to download the shockwave player in a web browser, but after clicking "install" nothing would happen. After trying another user from our restricted groups list, I was finally forced to use the Administrator login, which worked fine. I confirmed that both of these users were in the administrators group under computer management.

 

[office politics]

try opening some admin tools items. my guess is that you'll get access denied. Can they change the system time.

if they can't it seems they do not have admin rights.


did you try to delete and readd?

 

[genistas]

Hi,
I apologize for the delay in my response. You may not believe this (in fact, I'm not 100% in belief yet), but one of our users reported being able to install an application this morning, and after trying out several users' logins on a couple of computers, it appears that (at least for now) things are back to normal. I still have yet to test this in the infamous lab, but for now I'll call it a victory.

In response to your last post, yes, these users were able to run admin tools but were still being denied install rights.

Incidentally, I found one computer that still does not allow installs, but if I click "Run As" and enter the same login info that was used to logon to Windows, it will allow me to proceed with the install. I refreshed the policy and it appears to being picking it up, but still that problem exists. Not a big deal though, I can live with one.

Thanks for all your help, if I ever figure out what's going on I will let you know!