I was doing some testing with a newly created GPO that used Group Policy Preferences (GPP) to add a user account to the local administrators group, and I noticed that the policy seemed to apply properly to all of my Server 2012 and 2008 systems but not on any Server 2003 machines.
I did some research and came across an article on Microsoft’s Group Policy blog that shined some light on my issue:
The gist of it is that I needed to install the proper Client-Side Extensions (CSEs) for Server 2003. All of the links for the individual OSes and versions are in the MS blog post, but the specific one I needed is below.
You may also need to install XMLLite in addition to the CSEs, but to quote the post:
“XMLLite is not needed if:
· Your clients run Windows Server 2008 or Windows Vista.
· Your clients Windows XP and Windows Server 2003 clients run Internet Explorer 7 and/or the latest service packs.”
After installing the CSEs on my machines, they started processing the GPPs normally.
As a side-note for anyone interested; The GPP to add user accounts to local groups is located under Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups.
To modify a local group, right-click and select New – > Local Group, choose Update as the action, pick a group from the Group Name drop down menu, in my case Administrators (built-in) (make sure to use the drop down and not the ellipses button; see image), and then use the Add button at the bottom of the window to add either local or domain accounts to that group.
Most of the guides I’ve found suggest using Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups to add users to the local administrators group, but this policy acts to replace any existing memberships rather than merge with them, so keep this in mind if you have Group Policy Objects linked at higher OUs which add users to the same groups. If you want to preserve the existing memberships, consider using GPPs to make the modifications instead.