Help and Support
 

powered byLive Search

All members of a group are removed when the group is selected by the Restricted Groups policy settings and then Group Policy is refreshed in the background

View products that this article applies to.
Article ID:944329
Last Review:November 12, 2007
Revision:1.1
On This Page

SYMPTOMS

Consider the following scenario:
You open the Domain Security Policy Microsoft Management Console (MMC) or the Domain Controller Security Policy MMC to configure the Restricted Groups policy settings in Windows Server 2003.
You click Add Group to add a group, such as the Domain Admins group.

Note After the group is added, its Properties dialog box opens. You can define the members of this group or define the groups to which this group belongs.
Before you change the value of the Members of this group property and then click OK to apply the changes, Group Policy is refreshed in the background.
In this scenario, all members of the group that you added are removed.

Back to the top

CAUSE

If a restricted group is defined, and no members are configured (that is, the Members list is empty), all members of the group are removed when the policy is enforced on the computer.

Back to the top

WORKAROUND

To work around this behavior, use one of the following methods.

Back to the top

Method 1

Create a Group Policy object. Then, use the Group Policy Management Console (GPMC) to link the Group Policy object to the domain, the domain controller, or the organizational units (OU).

For more information about how to use GPMC to link a Group Policy object, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/5942c4ff-d9f3-41c5-a36b-74e74f777b511033.mspx?mfr=true (http://technet2.microsoft.com/windowsserver/en/library/5942c4ff-d9f3-41c5-a36b-74e74f777b511033.mspx?mfr=true)

Back to the top

Method 2

Modify the default Group Policy refresh interval on the domain controller to set a refresh interval value that is greater than five minutes. For example, set the refresh interval to 15 minutes.

Note This method may affect the performance of the domain controller. For more information about how to modify the default Group Policy refresh interval, click the following article number to view the article in the Microsoft Knowledge Base:
203607 (http://support.microsoft.com/kb/203607/) How to modify the default Group Policy refresh interval

Back to the top

STATUS

This behavior is by design.

Back to the top

MORE INFORMATION

For more information about the Restricted Groups policy settings, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx?mfr=true)

Back to the top

APPLIES TO
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

Back to the top

Keywords: 
kbexpertiseadvanced kbtshoot kbprb KB944329

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.