Re: Restricted Groups...with exceptions

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Andreware" <AWOSDev@xxxxxxxxx>
Date: 4 Jun 2006 02:05:28 -0700

If the sites are all within the domain, you shouldn't have to create
OU's at each individual site.

I have multiple sites, and when I change something on Site 1, Site 2 is
gonna hear about it!

If the groups are *global* then they should be *globally* addressable.
Again, I'm assuming you are using different sites/servers in the same
domain. If they aren't in the same domain, or even the same forest
(where global groups would still apply), then yes, you would have to
make separate groups/OU's.

I have OU's for 'employees', 'administrators', and 'customers'. Each
one has a separate policy for access restrictions, IPSec, etc. This
way it isn't so hard.

Are you in mixed-mode with an NT4 machine running as a BDC? If so, you
would have a problem with OU's because NT4 couldn't differentiate
betwee the OU's. But then again NT4 can't even read GP's anyway.

If the domains are in separate forests, maybe it's time for you to plan
a network redesign as it sounds like they belong in the same forest.

GJBiv wrote:

Hello all, successfully using the group policy restricted groups to allow the
necessary users local admin access globally--it works great, until a new
policy was established. New policy states that some of my users are to be
granted full local administrator rights to their own PCs.

So, now my requirement is certain users need local admin access to all PCs
while some users need admin access to their own PCs

It would not be desirable to add these users to a global local admins group
I would prefer to not create another OU ( i would have to do this at
multiple sites and then I assume i'd need to manually add my global groups)
where the restricted groups policy is not run...

any thoughts or suggestions on how to accomplish this?

thanks much

george

Prev by Date: Re: User can delete the icons from all desktop folder on Windows 2000
Next by Date: Re: How to remove Program Menu from Start Menu
Previous by thread: Re: I think my server is dying: GPO empty
Next by thread: Re: Problems with Security Policy
Index(es):
- Date
- Thread

Relevant Pages

Re: Securing Enterprise Policy from local admins
... permission on a local resource to be denied to a local admin by default. ... would be no way to prevent the change to the enterprise security policy. ... > security admins or domain admins can modify the enterprise policy. ...
(microsoft.public.dotnet.security)
Fwd: Notebook policy (need advice)
... The first thing you will need to do is get some sort of formal policy ... - Wireless - this is set to only connect to a known list of wireless networks. ... - Local Admin - unfortunately due to most users needing to be able to ... but this does mean some laptops aren't scanned as frequently ...
(Security-Basics)
Fwd: Notebook policy (need advice)
... The first thing you will need to do is get some sort of formal policy ... - Wireless - this is set to only connect to a known list of wireless networks. ... - Local Admin - unfortunately due to most users needing to be able to ... but this does mean some laptops aren't scanned as frequently ...
(Security-Basics)
RE: Local policy Settings
... "Jon" wrote: ... > network, meaning, is your domain account a local admin on that PC? ... >> try to change to policy settings are all greyed out. ...
(microsoft.public.windowsxp.general)
Re: Local admin rights on a foreign domain?
... group and not the local group on the members B and C. ... only a member of the domain admin group has local admin privileges ... > Any ideas what I need to do to have admin access on servers B and C ...
(comp.os.ms-windows.nt.admin.security)