Re: Merging user access

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 06/11/04 

Date: Fri, 11 Jun 2004 15:22:00 +0400

Unfortunately I have to agree here. If you need a bit more complex model,
you have no other choice than to configure the same groups manually again
and again. For example, if you have some computers where you must be a local
admin, and all these computers are divided into two subsets: on subset A,
some devs have to be also local admins, and on subset B, some other user
must be an admin. You will have to apply separate GPOs for subset A and B,
and, unfortunately, define yourself as a member of administrators group in
both GPOs, in addition to devs and other user. This is in the countrary to
solution more appropriate and transparent, where you apply one GPO defining
yourself as an admin to all these PCs, and then apply two more GPOs to
different subsets which ADD, instead of REPLACING, membership into
Administrators group. 

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Active Directory
  "hallstein" <hallstein@online.yahoo.com> wrote in message
news:ulkRZ64TEHA.3924@TK2MSFTNGP10.phx.gbl...
  One of the reasons is is because:
  I am not a domain admin, however I am allowed to set myself  as admin on
  every computer I run at my department. Thus I need to replace some users
  getting member of admin group.
  Then some users would like administrator access, since they are
  developers, and truly need to test and install applications from other
  companies. Thus these users should also be set as member of the admin
  group at that specific computer.. I hoped I could merge these settings,
  where I always add myself (and my tech-group) to the admin-group and
  then made a second GPO to add another user. This will not work in the
  current Windows XP gpo as far as I can see.
  Dmitry Korolyov [MVP] wrote:
  > Many different computers, ok. But you can do this. Just place them into
  > corresponding OUs and apply different policies.
  > Could you describe your scenario in more details?
  >

Relevant Pages

  • Re: Low end desktop for EE tasks?
    ... Not only operating and configuring, but also programming in many cases. ... tinkering with their computers. ... The deal was that once you're an admin, ... Where I am now, everyone (well, all the engineers at least) has two ...
    (sci.electronics.design)
  • Re: XP & W2K server User rights need help
    ... before did not install the apps as admin. ... >behaved app. ... >> server non of the users had accounts only the computers ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Nesting domain groups under local groups
    ... They would have to ask the domain admin to remove them ... application is hard coded to check for permissions in the custom local group ... (or custom domain group). ... They can only do this because they are admins of the computers -- were ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation Wizard
    ... >> computers OU Built-In or not!! ... > * Configure the delegation of control wizard as mentioned in the links ... > * create separate admin accounts to perform admin tasks ...
    (microsoft.public.win2000.active_directory)
  • Re: Delegation Wizard
    ... > computers OU Built-In or not!! ... * Configure the delegation of control wizard as mentioned in the links ... * create separate admin accounts to perform admin tasks ... * Create an OU for the Admin roles and the admin tasks ...
    (microsoft.public.win2000.active_directory)