I have several GPOs set up on our domain at work, in one GPO I have the group set to be Local Administrators via the Restricted Groups feature. However, when one of the users in this group logs in to one of the computers on the domain they are unable to make Administrative changes such as installing and removing programs. I double checked the GPO and everything seems to be set up right. The GPO is linked and is set to enforce the policies.
Update:
When I login on a client computer and run gpresult /z I get this:
The following GPOs were not applied because they were filtered out
Technology Department Configuration
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
Why does it say it's empty? Am I forgetting something? I'm looking at all the GPOs that we have in our domain and there are 5 total with each one only being applied to specific groups. These users are in the Technology Department group and are only linked to a single GPO. I don't see where something could be conflicting? The only filters that this group has is they are added to the Remote Desktop Users group, the Allow log on locally, to the Allow log on through Terminal Services, and was set up to the a Local Administrator via Restricted Groups.
Best Answer
Restricted Groups gpo's apply to computers, not users. If you want to use a Domain security group to specify which computers the gpo should apply, the computers in scope need to be added to that Domain security group.