Re: Forcing groups into the local admin account

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 02/27/04 

Date: Fri, 27 Feb 2004 02:44:29 -0700

If I have read your post correctly, yes, this can be done
provided that you want to control precisely the membership
of the Administrators group on the machines within the scope
of the GPO that you use. That is to say, you will need to state
exactly what should be in Administrators, and then that is how
it will be, with the only way to change it being changing the GPO
or taking the machine out from the scope of the GPO.
If this fits, then you should look into using Restricted Groups
to define the local Administrators group membership, using
an GPO that is linked to an OU

"Erik" <anonymous@discussions.microsoft.com> wrote in message
news:2f6801c3fcf5$bd22d6f0$a401280a@phx.gbl...
> Is there a way to change, a machine on the domain, local
> administrative groups permissions? I would like to add
> domain groups to a machines local admin group via GPO. I
> would also like the new permissions to replace the
> current permissions except for the local admin account. I
> this possible with a GPO? I have users that will add
> individual user accountsor groups to their machines to
> allow temp accessand then forget they were added.
>
> Thank!!

Relevant Pages

  • Re: Need to fix Local Admin rights problem
    ... Settings/Restricted Groups) all members of the Local Administrators group ... When the techs setup the machines they add domain\users to the ... I would like to fix this with a gpo. ... I would like to allow certain groups to local admin rights on certain ...
    (microsoft.public.windows.group_policy)
  • Re: Allowing local administration
    ... Adding yourself to the administrators group simply gives you full control ... If you want full control over all machines you should add yourself ... Add this script as a *startup* script to a GPO and link the GPO to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to globally change machine local admins
    ... You could script a freeware tool called lg on www..joeware.net to do this. ... Basically your script would loop through the machines in a list, ... the administrators group, parse out the entries and remove all of them ... we want to remove users from the local admin group ...
    (microsoft.public.win2000.security)
  • Re: DST Updates Deployed via Group Policy
    ... if they are just reg settings and nothing more then ... WAS able to select the group in the GPO editor so I assumed that it ... things are working, that is, the machines are being healthy little ... however I have not tested the script locally on ...
    (microsoft.public.windows.group_policy)
  • Re: DST Updates Deployed via Group Policy
    ... In KB914387 Microsoft gives you the registry keys that need to be changed ... saw that my EST reg entries were the same as my 2003 server and 2000 ... WAS able to select the group in the GPO editor so I assumed that it could ... things are working, that is, the machines are being healthy little ...
    (microsoft.public.windows.group_policy)