Windows Server 2012 – Domain Local Group not getting members?

Home Forums Server Operating Systems Windows Server 2012 / 2012 R2 Windows Server 2012 – Domain Local Group not getting members?

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    ntex
    Member
    #161512

    Hi,

    I have a single forest with 3 subdomains, all Windows 2008R2 functional level and recently I decided to add a Windows Server 2012 (after some lab tests) on the smallest subdomain we had with 2 DC’s Windows 2008R2 on that domain.

    Since all was going smooth, with the 1st DC after some weeks, I decided to add the 2nd DC and that subdomain, both were fresh installs, by the way.

    So that subdomain have now, 2 DC’s on Windows Server 2012, but domain functionality level we kept on Windows 2008 R2.

    All went, so far good, until we noticed one GPO wasn’t working properly, our Restricted Groups GPO that add some users of IT from Service Desk Team.

    Odd that only happens on that particular subdomain (when all was fine before introducing this 2 DC’s on Windows Server 2012), the others 2 domains have the exact settings and philosophy and still working properly.

    Imagine the following scenario:
    Domain company.local with following subdomains, hq.company.local, stores.company.local and brand.company.local

    On hq.company.local we have the IT group (Global) that belongs ServiceDeskLocalAdmins (Universal)

    On each subdomain (all 3) the hqServiceDeskLocalAdmins and respective Domain Admins (Global), it’s mapped to a DomainLocalAdmins (Local) on each subdomain.

    This scenario it’s the way that been working all these last years (and best practices nesting groups, i believe), now since we upgraded (fresh installs) the 2 DC’s of brand.company.local, it stopped working only on that specific domain.

    Appears that brandDomainLocalAdmins doesn’t read/get the members from hqServiceDeskLocalAdmins and brandDomain Admins on the Restricted Groups, while the others subdomains, keeps working fine like before.

    If i test the same user membership on 3 subdomains, it goes well on hq and stores subdomain:

    Quote:
    The user is a part of the following security groups:


    Domain Users
    Everyone
    BUILTINUsers
    BUILTINAdministrators
    NT AUTHORITYINTERACTIVE
    NT AUTHORITYAuthenticated Users

    ServiceDeskLocalAdmins
    DomainLocalAdmins

    But, if i test the same user membership on brand subdomain:

    Quote:
    The user is a part of the following security groups:


    Domain Users
    Everyone
    BUILTINUsers
    NT AUTHORITYINTERACTIVE
    NT AUTHORITYAuthenticated Users

    ServiceDeskLocalAdmins

    The DomainLocalAdmins it’s not list there and same goes for others accounts (that output it’s from Administrator of Domain).

    I could map directly on Restricted Groups GPO directly hqServiceDeskLocalAdmins and brandDomain Admins groups, instead of using brandDomainLocalAdmins, but before I start rolling more DC’s on 2012, I would like to understand, why this is happening?

    Thanks for your help or any tip.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.