Re: restricted groups for local admin rights
- From: "Sher" <Sher@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 24 Aug 2005 06:50:06 -0700
Hi Steven,
Could you look this over and tell me if it is right?
AD TREE:
my.org
OU myusers (Current gp)
create a global group here and add users for local admin rights
CURRENT GP:
computer configurations
windows
security settings
restricted groups
right click and add group
is this where I type in administrators?
then
this group is a member of
Add global group here
(I'm not understanding how by just typing in administrators that it knows
I'm referring to local administrators and not domain administrators?) Also,
the users who are not in the global group, does it just leave them as domain
users and not local users?
Also, would it be safer to create a seperate sub ou and then create a new gp
for that sub ou for the restriced group? Then move the users to that sub ou?
Thanks again for any help
Sher
"Steven L Umbach" wrote:
> First off be sure to use Restricted Groups at the Organizational Unit level
> and NOT at the domain level or you run the risk of adding users to the
> administrators group for the domain. Then when you configure it at the OU
> level the computer accounts that you want these users to be local
> administrators on must be in the OU [or child OU] where you have the Group
> Policy linked to. You will not be able to browse to a local administrators
> group. Simply type in administrators as the group name. From what you
> describe you want to use the "member of" option for restricted groups. That
> way you can add a global group to the administrators group without affecting
> the current membership of the local administrators group on the computers
> you want to enforce Restricted Groups assuming that you do not want to
> strictly enforce membership of the local administrators group. I am not sure
> what icon lock means offhand. When testing your Restricted Groups be sure
> to reboot or use gpupdate to refresh computer configuration on your XP
> computers as it can otherwise take up to two hours for changes in Group
> Policy to propagate to domain computers. Hope some of this helps. --- Steve
>
>
> "Sher" <Sher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:6B6CC986-FCD7-4527-B625-F8AD24247106@xxxxxxxxxxxxxxxx
> > Hi all,
> > 2003 server using gp for windows xp workstations
> > My goal is to use restricted groups under gp to add several users to the
> > local workstation administrator group.
> > I have read several articles on how to do it but it is confusing to me.
> > My questions:
> > can I use my current custom gp and just add the restricted group there or
> > will it override the other restrictions in the gp for the users that I add
> > to
> > the restricted group?
> > Can you give me the steps to set this up. (when I tried the other
> > articles
> > steps I couldn't browse to the local administrators group to add it as the
> > restriction point. In other words, I don't know how to tell the
> > restricted
> > group to be related to the local admins group)
> > Also, under restricted gp the icon has a lock picture on it. What does
> > this
> > mean?
> > Sorry, the restricted groups process hasn't clicked for me yet? I know I
> > could use this for other things also but just can't seem to understand the
> > process.
> > Thanks in advance for any help,
> > Sher
> >
> >
>
>
>
.
- References:
- restricted groups for local admin rights
- From: Sher
- Re: restricted groups for local admin rights
- From: Steven L Umbach
- restricted groups for local admin rights
- Prev by Date: problems with roaming profile and GPO
- Next by Date: Re: Group Policy "Hide specified Control Panel applets" not working for "Network Connections"
- Previous by thread: Re: restricted groups for local admin rights
- Next by thread: Re: restricted groups for local admin rights
- Index(es):
Relevant Pages
|
