Re: delegation question....

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Alfredo (Alfredo_at_discussions.microsoft.com)
Date: 09/09/04 

Date: Thu, 9 Sep 2004 16:15:03 -0700

Thank you very much guys! I got it to work!!!

Here are the step by step on how is done.

1. Create a new GPO, and link it to the "IT OU" (whatever OU you want to
apply this to). Make sure the IT computer accounts are inside the "IT OU"

2. Edit your new GPO, and go to "Windows Settings/Security
Settings/Restricted Groups.

3. Right click "Restricted Groups" and select "add group" option from the
shortcut menu.

4. When it ask you for group name, <DON'T CLICK THE BROWSE BUTTON", instead
just type the word Administrators.

5. Now you can add "Members of this group" by clicking the "Add..." button

Make sure you add "DOMAIN\Domain Admins". If you don't add "DOMAIN\Domain
Admins" while creating a Restricted Group, the Domain Admin Account won't be
part of the local administrators group.

That's All.

Once again, thank you all!

"Tomasz Onyszko" wrote:

> Alfredo wrote:
>
> > Thank you Tomasz & Chriss3 for the your response.
> >
> > Everything makes sense, but I am just a bit unclear on the follwing step:
> >
> > Once I added the Group to the "Computer Configuration\Windows
> > Settings\Security Settings\Restricted Groups" then it asked me to "Configure
> > Membership for <group>"
> >
> > I cliked "Add", and it brings a browse windows; which let's me browse to
> > the domain accounts.
> >
> > My question is: Which account do I add?
> >
>
> You have to add all accounts that You want to be a members of the
> administrators local group - in Your specific case I will put the Domain
> Admins and Help Desk groups at minimum
>
> Gpo will force this local group membership on all workstations which
> will be under this GPO scope and will put this groups into thel local
> admin group on workstation.
>
>
> --
> Tomasz Onyszko [MVP]
> T.Onyszko@w2k.pl
> http://www.w2k.pl
>

Quantcast