Re: local security group into local Administrator group

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/03/04

Next message: Alex Paoli: "Second Request: Application Folder Redirect Question"
Previous message: Bruce Musgrove: "Re: event ID 1030 , source userenv"
In reply to: Jeff Hicks: "local security group into local Administrator group"
Next in thread: jeff: "Re: local security group into local Administrator group"
Reply: jeff: "Re: local security group into local Administrator group"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 3 Jul 2004 00:20:29 -0700

Evidently some code has a bug as it is not permitted for
machine local groups to nest within other machine local
groups.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Jeff Hicks" <jeffrey_hicks@lycos.com> wrote in message
news:80dc4163.0407021420.d01daaa@posting.google.com...
> Would like to use Restricted Groups to standardize the local
> Administrator group as much as possible. However, on SOME PCs I have
> to have non-standard domain users with Administrative privileges.
>
> I THOUGHT I could get around the "wipe and replace" behavior of
> Restricted Groups by having it add a local security group to the local
> Administrators group (add the local group but not specify the
> members). It LOOKS like it is working. The local group is in the list
> of Administrators in the GUI and in "net localgroup Administrators"
> however the domain users contained in the local group cannot perform
> administrative functions.
>
> What am I missing?
> Is there a better way to get some flexibility of Administrators on a
> case by case basis?

Next message: Alex Paoli: "Second Request: Application Folder Redirect Question"
Previous message: Bruce Musgrove: "Re: event ID 1030 , source userenv"
In reply to: Jeff Hicks: "local security group into local Administrator group"
Next in thread: jeff: "Re: local security group into local Administrator group"
Reply: jeff: "Re: local security group into local Administrator group"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: Permissions
... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ...
(microsoft.public.win2000.security)
Re: Settle a Administrators dispute
... in the Administrators built in group and when I logged on with the user, I couldn't create/modify/delete users or modify distribution groups. ... Administrators Local Group on the DC but not in the Domain Admins ... Or with a restricted group in group policy. ... giving domain users administrative rights on their workstations is a very bad idea but then it sounds like they're already domain admins so I don't suppose it makes much difference now. ...
(microsoft.public.windows.server.active_directory)
Re: Settle a Administrators dispute
... the Administrators Local Group ON THE DOMAIN CONTROLLER. ... Administrators Local Group on the DC but not in the Domain Admins ... Or with a restricted group in group policy. ...
(microsoft.public.windows.server.active_directory)
Re: localgroup administrators
... I took the original post at face value of "set a group ... policy to remove domain users and only add domain admins to local group ... administrators on workstations", which translates in my brain as a full ... admins to local group administrators on workstations. ...
(microsoft.public.windows.group_policy)
Re: Add users to local admin via login script
... net localgroup administrators interactive /add ... used to add the user to a local group, ... so a Startup script can add users to local ... The suggested solution is to use a Startup script to add a domain group to ...
(microsoft.public.windows.server.active_directory)