Microsoft KB Archive/944329

= All members of a group are removed when the group is selected by the Restricted Groups policy settings and then Group Policy is refreshed in the background =

Article ID: 944329

Article Last Modified on 11/12/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



SYMPTOMS
Consider the following scenario:
 * You open the Domain Security Policy Microsoft Management Console (MMC) or the Domain Controller Security Policy MMC to configure the Restricted Groups policy settings in Windows Server 2003.
 * You click Add Group to add a group, such as the Domain Admins group.

Note After the group is added, its Properties dialog box opens. You can define the members of this group or define the groups to which this group belongs.
 * Before you change the value of the Members of this group property and then click OK to apply the changes, Group Policy is refreshed in the background.

In this scenario, all members of the group that you added are removed.



CAUSE
If a restricted group is defined, and no members are configured (that is, the Members list is empty), all members of the group are removed when the policy is enforced on the computer.



WORKAROUND
To work around this behavior, use one of the following methods.

Method 1
Create a Group Policy object. Then, use the Group Policy Management Console (GPMC) to link the Group Policy object to the domain, the domain controller, or the organizational units (OU).

For more information about how to use GPMC to link a Group Policy object, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/5942c4ff-d9f3-41c5-a36b-74e74f777b511033.mspx?mfr=true

Method 2
Modify the default Group Policy refresh interval on the domain controller to set a refresh interval value that is greater than five minutes. For example, set the refresh interval to 15 minutes.

Note This method may affect the performance of the domain controller. For more information about how to modify the default Group Policy refresh interval, click the following article number to view the article in the Microsoft Knowledge Base:

203607 How to modify the default Group Policy refresh interval



STATUS
This behavior is by design.



MORE INFORMATION
For more information about the Restricted Groups policy settings, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx?mfr=true

Keywords: kbexpertiseadvanced kbtshoot kbprb KB944329

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.