Re: restricted groups for local admin rights

First off be sure to use Restricted Groups at the Organizational Unit level
and NOT at the domain level or you run the risk of adding users to the
administrators group for the domain. Then when you configure it at the OU
level the computer accounts that you want these users to be local
administrators on must be in the OU [or child OU] where you have the Group
Policy linked to. You will not be able to browse to a local administrators
group. Simply type in administrators as the group name. From what you
describe you want to use the "member of" option for restricted groups. That
way you can add a global group to the administrators group without affecting
the current membership of the local administrators group on the computers
you want to enforce Restricted Groups assuming that you do not want to
strictly enforce membership of the local administrators group. I am not sure
what icon lock means offhand. When testing your Restricted Groups be sure
to reboot or use gpupdate to refresh computer configuration on your XP
computers as it can otherwise take up to two hours for changes in Group
Policy to propagate to domain computers. Hope some of this helps. --- Steve


"Sher" <Sher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6B6CC986-FCD7-4527-B625-F8AD24247106@xxxxxxxxxxxxxxxx
> Hi all,
> 2003 server using gp for windows xp workstations
> My goal is to use restricted groups under gp to add several users to the
> local workstation administrator group.
> I have read several articles on how to do it but it is confusing to me.
> My questions:
> can I use my current custom gp and just add the restricted group there or
> will it override the other restrictions in the gp for the users that I add
> to
> the restricted group?
> Can you give me the steps to set this up. (when I tried the other
> articles
> steps I couldn't browse to the local administrators group to add it as the
> restriction point. In other words, I don't know how to tell the
> restricted
> group to be related to the local admins group)
> Also, under restricted gp the icon has a lock picture on it. What does
> this
> mean?
> Sorry, the restricted groups process hasn't clicked for me yet? I know I
> could use this for other things also but just can't seem to understand the
> process.
> Thanks in advance for any help,
> Sher
>
>


.

Relevant Pages

  • Re: Basic User Setup
    ... You could user the computer configuration "restricted groups" to create a global ... restricted groups to enforce the membership of the domain computers in that OU ... want to wipe out current membership of the local administrators group in that OU ...
    (microsoft.public.win2000.group_policy)
  • Re: restricted groups for local admin rights
    ... > user to the local administrators group on that computer. ... >> First off be sure to use Restricted Groups at the Organizational Unit ... >>> I have read several articles on how to do it but it is confusing to me. ...
    (microsoft.public.windows.group_policy)
  • Re: Re: Change group membership
    ... It puts these users in a global group which is added to the local Administrators group on the workstations. ... >and you see the administrators group listed in the Restricted Groups window. ... >> Jerold Schulman ...
    (microsoft.public.win2000.active_directory)
  • Re: administrative privileage Q.
    ... You could use Group Policy Restricted Groups at the Organizational Unit ... place the computers in the OU where you want him to be a local admin. ... configure Restricted Groups and use "member of" for administrators group. ...
    (microsoft.public.windows.server.security)
  • Re: restricted groups for local admin rights
    ... I'm referring to local administrators and not domain administrators?) ... > describe you want to use the "member of" option for restricted groups. ... > way you can add a global group to the administrators group without affecting ...
    (microsoft.public.windows.group_policy)