Hi there,
I've recently started testing SRP on my test users/workstations.
I created a GP with SRP turned on where i have "Enforcement" set as "All users except local administrators"
What I've noticed: if a user is a member of Domain Admins group and that group is a part of Local Users on a particular machines, that user is prevented from performing administrative tasks...even though intuitively it should not.
I read that the "Security Filtering" of the GP i created has default "Authenticated Users" which is the reason Domain Users are not excluded from the GP.
So I replaced Authenticated Users with Domain users and now my Domain Admins user is able to perform administrative tasks just fine.
My question is: How does this impact the security and enforcement of SRP? Obviously Authenticated Users is set by default for a reason. Before i settle for the aforementioned solution, I would like to be sure I am not not creating a serious security flaw.
Please advise,
Thank you!