Re: Restrict membership of Power users local group

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 09/06/04 

Date: Mon, 6 Sep 2004 17:59:01 +0400

Restricted Groups feature can do this, but it will make selected users
members of Power Users group on _all_ computers where you apply it. You
cannot implement selective membership with a single policy. Either all
desired users will be members of Power Users on all affected computers, or
you need to create a separate policy for each computer/users case - which is
not very effective, and you better use a scripting solution offered by
Jerold instead of setting dozens of policies. 

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Active Directory
  "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
news:ilkoj0ti0eq2vigd1a9omag9l2fcjm1bg6@4ax.com...
  On Mon, 6 Sep 2004 00:47:49 -0700, "Teo Chee Yang"
  <anonymous@discussions.microsoft.com> wrote:
  >I would like to use GPO to restrict the members of Power
  >users local group in each computer. For example:
  >
  >1. For computer1, I would like to add <AD domain>\user1
  >to Power Users group.
  >
  >2. For computer2, I would like to add <AD domain>\user2
  >to Power Users group.
  >
  >and etc....
  >
  >I'm not sure whether Restricted Groups can handle the
  >requirement. If not, is there any other alternative?
  Restricted Groups cannot handle this.
  Create a file that contains
  ComputerName,DomainUserName
  Using psexec, tip 4141 in the 'Tips & Tricks' at http://www.jsiinc.com
  @echo off
  for /f "Tokens=1* Delims=," %%a in (filename.txt) do (
   psexec \\%%a [psexec stuff] net localgroup "Power Users" %%b /ADD
  )
  Jerold Schulman
  Windows: General MVP
  JSI, Inc.
  http://www.jsiinc.com

Relevant Pages

  • Re: administrator rights for computer
    ... Windows 2000 computers using at least SP4 and XP Pro/2003 computers. ... has Restricted Groups configured. ... You should not need very many members of the domain admins group as ...
    (microsoft.public.win2000.security)
  • Re: How do you all manage employee workstations? Looking for sugge
    ... users needed members of those domain groups, ... Use the "Restricted Groups" feature. ... And definitely restrict it to the users who actually need those permissions. ... And you can restrict it to computers on which the software is installed ...
    (microsoft.public.windows.server.sbs)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... Using restricted groups properly doesn't remove anyone from the local admins ... You are using it incorrectly in forcing only group members defined ... Create the gpo in the ou where the Computers reside, ...
    (microsoft.public.windows.server.active_directory)
  • Problems with winexit.exe and "power users"
    ... I am a computer lab technician at Gonzaga University. ... computers all using winXP sp2 in a lab setting. ... we used to set our winexit.exe screen saver settings logged on as ... power users group is logged on, winexit fails when it attempts to log them ...
    (microsoft.public.windowsxp.customize)
  • Re: 2003 script that will add domain user to local pc powerusers group
    ... To add a domain group to the local Power Users group on ... ' Bind to the domain group to be added to Power Users. ... ' Enumerate all computers in the OU. ...
    (microsoft.public.windows.server.scripting)