I am trying to implement Restricted Group policy for my company's AD infrastructure, namely standardizing the local "Administrators" group. The documentation (and various webpages) said that the "Members of this group" policy will wipe out the "Administrators" group. However, an experiment made me confused:
I created 2 GPOs:
GPO-A replaces the Local Administrators with a list of domain users (e.g., "Alice" and "Bob")
GPO-B inserts a domain user (e.g., "Charlie" -- not part of GPO A) into the Local Administrators
Experiment 1: GPO-A gets applied first (link order 2)
Everything happens as expected: GPO-A cleans out Local Admins and add "Alice" & "Bob" gets added; GPO-B adds "Charlie".
Experiment 2: GPO-B is applied first
What happens:
"Charlie" gets added to the Local Admins group (which also contains 2 local users)
The local users on the PC gets deleted, and "Alice" and "Bob" gets added.
Result: Local Admins contain "Alice", "Bob", and "Charlie"
My confusion: In Experiment 2, I thought GPO-A will totally erase the Local Admins group, including users added by GPO-B (since GPO-A gets applied after GPO-B). As it happens, it only erase local users from the Local Admins, but keeps the domain users.
So, is that the way it should be? Or am I doing something incorrectly?