Hi,
I'm a little bit confused with the way Microsoft design the nested groups.
Scenario:
We implement Restricted groups group policy to control the members of built-in Administrators group of every workstation in our office. The design was, to make managers domain user account to be member of built-in Administrators group of their subordinates workstations if ever they need administrative rights. So, result was there were many group policies created because we have some 30 departments. We come up to the solution that we create a domain global security group and add all the managers account as members and corporate help desk group, create a one single policy and join the created global security group, corporate help desk group and domain admins group to the built-in Administrators group of every workstation.
Problem:
We test the policy before we implement it, and a member of our created global security group successfully done an administrative action. But when we implement it, some manager user account doesn't recognize as administrator to the workstation. We did a little bit of research and supports the idea that nested groups was not good in the implementation of Nested groups.
http://bittangents.com/2010/07/13/nested-user-groups-groups-in-groups-built-in-local-groups-issue/
Question:
Why is there a different effect of the policy? In our testing environment, it was successful, even a member of a nested group successfully done an administrative action, but some members of the global group declared as local Administrator group of the workstation was not?
Appreciate any feedback.
thanks.