group Policy doesn't work

[guest]

Situation: You have GPO policies to apply to all XP machines and assigned domain
users with "Power Users". In addition, you have assigned one user with
local admin right. However, this policy reverts back to "power users"
everyday.

Troubleshooting; This issue can occur if the original "Power Users" policy is still applied
to the user/machine. Please check whether the original policy is
conflicting with the new policy. If so, please filter the user/machine from
the original policy. For example, you can use security filtering to apply
the GPO to a given user or computer. For more information, you can refer to
the following article:

Security filtering using GPMC
http://technet.microsoft.com/en-us/libr ... 81988.aspx

Filter using security groups
http://technet.microsoft.com/en-us/libr ... 79291.aspx


In addition, to better serve you on this issue, I would like to confirm how
you assign the Power Users right to all domain users and how you assign the
local admin right to the specific user. Please let me know the detailed
steps. Thank you for your cooperation.

At this point, we may use the Restricted Groups policy to add a domain
account to the local administrators group on the client computer.

The Restricted Groups policy allows a domain administrator to define the
following two properties for security-sensitive (restricted) groups:

- Members
- Member Of

The "Members" list defines who should and should not belong to the
restricted group. The "Member Of" list specifies which other groups the
restricted group should belong to.

Using the "Members" Restricted Group Portion of Policy
------------------------------------------------------

When a Restricted Group policy is enforced, any current member of a
restricted group that is not on the "Members" list is removed with the
exception of administrator in the Administrators group. Any user on the
"Members" list which is not currently a member of the restricted group is
added.

Using the "Member Of" Restricted Group Portion of Policy
--------------------------------------------------------

Only inclusion is enforced in this portion of a Restricted Group policy.
The Restricted Group is not removed from other groups. It makes sure that
the restricted group is a member of groups that are listed in the Member Of
dialog box.

Therefore, if you want to keep the existing membership of the local
administrators group, we should use the "Member Of" setting.

Suggestions:
=============
Note: please first create a new group called GroupABC, in this group there
is only one user who you want to assign the local admin right

1. Start Active Directory Users and Computers from any domain controller.

2. Open the related GPO that you want to apply that setting on

3. Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.

4. Click Browse to choose the domain global group GroupABC, and then click
OK. Then you will see a new item added in the Group Policy Editor window as
"DomainName\GroupABC".


5. Double-click the "DomainName\GroupABC" group added in Step 4.

6. To the right side of the This Group is a members of box (the lower box),
click ADD, and then type in "Administrators" (without the quotation marks),
and then click OK.

7. After you do so, close the group policy.

You can go to the client computer and execute the following command to
manually refresh the Restricted Groups policy setting:

For Windows XP/2003 machines, please run:

GPUpdate /Target:Computer /Force

8. Now, we have added the GroupABC domain group to client computer's local
Administrators group. You can add the necessary domain account into the
GroupABC to manage local computers in the future.

Reference:
=================

279301 Description of Group Policy Restricted Groups
http://support.microsoft.com/?id=279301

810076 Updates to Restricted Groups ("Member of") Behavior of User-Defined
http://support.microsoft.com/?id=810076