Workstation group policy not updating
These two options will automatically remove any users or groups that are not explicitly being added to the group.You only need to do this on item number 1 in the list of settings as that setting will be processed last. Now you will need to make sure you have added back in the Domain Admin’s and Local Administrator groups so that you don’t totally lock yourself out of the computer.To do this click the “Add…” button to bring up the “Local Group Member” dialogue box (see Image 2) Image 2. Now type “Built In\Administrator” in the Name field and click OK (see Image 3.) Note: The image below is wrong… Local Administrators group added to the local administrators group Step 8.You should also add “DOMAINNAME\Domain Admins” as it is a good practice to have the DA account as a member of the local admin group on all computers in the domain.
The “Members” option removes any groups or users that are not explicitly specified and the “Members Of” option just adds a specific group which out removing any existing groups.So if you still use the Internet Explorer Maintenance section in Group Policy be aware that you will lose access to the ability to edit these policy setting if you update to IE10.Alternatively you can simply reset the Internet Explorer Maintenance settings (see How to remove imported Internet Explorer Group Policy Settings) and just use the standard Group Policy Administrative Templates or Group Policy preferences.In the steps below the computer name is DESKTOP01 and the domain name is CONTOSO, we want to add the group “CONTOSO\DESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups. Now go back and repeat steps 3 to 6 until you get to the Local Group Member dialogue box again (see Image 6.). Type “%Domain Name%\%Computer Name% Administrators” in the Name text field and click “OK” (Image 7.) Image 7.