Re: Smart user removing domain admin group from local admin group
From: Chriss3 (noSpamHere_at_chrisse.se)
Date: 06/30/04
- Next message: Trust No OneŽ: "Re: Creating a "true" AD lab replica"
- Previous message: Chriss3: "Re: Unable to add Administrators Built-In group to shared folder"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 30 Jun 2004 23:11:50 +0200
Good point, Also note the Restricted Group Policy will clear every existing
member to the local group and replace it with the members listed in the
policy.
-- Regards Christoffer Andersson No email replies please - reply in the newsgroup ------------------------------------------------ http://www.chrisse.se - Active Directory Tips "ptwilliams" <ptw2001@hotmail.com> skrev i meddelandet news:uoOOVpiXEHA.3716@TK2MSFTNGP10.phx.gbl... > I have to chip in here. Chris' solution is the solution to take, however, > GPO processing does occur every 90 mins by default, but once it has applied > will not apply again unless the GPO is changed. Therefore, if the users > change the group membership after GPO application, it will not get changed > again until foreground processing occurs - a logon (or reboot) or secedit > /refreshpolicy machine_policy /enforce (unless you've set the security > client side extension to process every time regardless of change). > > -- > > Paul Williams > _________________________________________ > http://www.msresource.net > > > Join us in our new forums! > http://forums.msresource.net > _________________________________________ > "Chriss3" <noSpamHere@chrisse.se> wrote in message > news:%23kGicnhXEHA.1128@TK2MSFTNGP10.phx.gbl... > Hello Jody. > > You may not should give them local administrator rights if they not are > trusted, the article below shows how you can link the domain admins group to > the local admin group, the membership will refresh every time the GPO is > re-applied I think, it's every 90min by default. > > Restricted groups with in a Group Policy allow to map membership > http://www.chrisse.se/MAQB.asp?ID=29 > -- > Regards > Christoffer Andersson > > No email replies please - reply in the newsgroup > ------------------------------------------------ > http://www.chrisse.se - Active Directory Tips > > "Jody Riding" <jriding@fishnetsecurity.com> skrev i meddelandet > news:2314901c45e01$e21742d0$a501280a@phx.gbl... > > I have a couple of "smart" users that are removing the > > Domain administrator group from the local admin group on > > their pc. This is creating serious issues with trying to > > administrate the environment. I remember from an old job I > > had where there was a script that was put into Active > > Directory that would force / readd the domain admin group > > to the local admin group. The script would force this do to > > the fact of connection and login to AD. This force was not > > account linked but forced do to being in the login script > > section of AD. If anyone has any ideas on this it would be > > greatly appriciated. > > > > Please feel free to email me as well. > > > > J Riding > > >
- Next message: Trust No OneŽ: "Re: Creating a "true" AD lab replica"
- Previous message: Chriss3: "Re: Unable to add Administrators Built-In group to shared folder"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
