Re: Restricted Groups > Local Administrators
From: Herb Martin (news_at_LearnQuick.com)
Date: 12/03/04
- Next message: Herb Martin: "Re: Rollback to NT4 Domain from 2000 mixed mode"
- Previous message: Herb Martin: "Re: AD account lock"
- In reply to: Rob: "Restricted Groups > Local Administrators"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: Restricted Groups > Local Administrators"
- Reply: Cary Shultz [A.D. MVP]: "Re: Restricted Groups > Local Administrators"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 3 Dec 2004 01:57:36 -0600
"Rob" <rjohn@sw.rr.com> wrote in message
news:eOqAj9O2EHA.4072@TK2MSFTNGP10.phx.gbl...
> For some strange reason I have been unable to use GPOs to set the
membership
> of the local administrators group on my PCs. I can make this work on
Domain
> level groups, but not the local administrators group of PCs. I've clearly
> missed something here....
>
> Any tips would be appreciated.
Someone finally taught me the trick to these.
Local groups don't exist on the DCs to this is the
initial problem -- you (like me) probably tend to
run AD Users/Computer and the GPO Editor from
the DCs ONLY.
Install the tools on an XP box or on a Win2000 box
(which has the built-in local groups.) This would
also work on a non-DC server.
ADMINPAK.msi in the DC System32 directory
contains the tools.
Run the tools from there and setup the Restricted
Group -- you will be able to pick the local built-in
groups.
This will work because as built-in groups their
SIDs are predictable.
It probably won't work for any custom local groups
though.
-- Herb Martin > > Rob > >
- Next message: Herb Martin: "Re: Rollback to NT4 Domain from 2000 mixed mode"
- Previous message: Herb Martin: "Re: AD account lock"
- In reply to: Rob: "Restricted Groups > Local Administrators"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: Restricted Groups > Local Administrators"
- Reply: Cary Shultz [A.D. MVP]: "Re: Restricted Groups > Local Administrators"
- Messages sorted by: [ date ] [ thread ]
