Re: restricted groups for local admin rights
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 24 Aug 2005 13:40:49 -0500
When you add a domain user to the local administrator group of a domain
computer they are all powerful on that domain computer but do not have any
special powers in the domain. --- Steve
"Sher" <Sher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1F9C9C42-80B8-4E6C-A18D-92D2D1959CC2@xxxxxxxxxxxxxxxx
> Steven,
> If I want to add one domain user to one computers local administrators
> group, is this the same process I would use or can I just add that domain
> user to the local administrators group on that computer. When you add the
> domain user to the local administrators group the message says :
> administrators have complete and unrestricted access to the
> computer/domain.
> Does this mean the user is now a domain administrator also?
> Thanks again,
> Sher
>
> "Steven L Umbach" wrote:
>
>> First off be sure to use Restricted Groups at the Organizational Unit
>> level
>> and NOT at the domain level or you run the risk of adding users to the
>> administrators group for the domain. Then when you configure it at the OU
>> level the computer accounts that you want these users to be local
>> administrators on must be in the OU [or child OU] where you have the
>> Group
>> Policy linked to. You will not be able to browse to a local
>> administrators
>> group. Simply type in administrators as the group name. From what you
>> describe you want to use the "member of" option for restricted groups.
>> That
>> way you can add a global group to the administrators group without
>> affecting
>> the current membership of the local administrators group on the computers
>> you want to enforce Restricted Groups assuming that you do not want to
>> strictly enforce membership of the local administrators group. I am not
>> sure
>> what icon lock means offhand. When testing your Restricted Groups be
>> sure
>> to reboot or use gpupdate to refresh computer configuration on your XP
>> computers as it can otherwise take up to two hours for changes in Group
>> Policy to propagate to domain computers. Hope some of this helps. ---
>> Steve
>>
>>
>> "Sher" <Sher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:6B6CC986-FCD7-4527-B625-F8AD24247106@xxxxxxxxxxxxxxxx
>> > Hi all,
>> > 2003 server using gp for windows xp workstations
>> > My goal is to use restricted groups under gp to add several users to
>> > the
>> > local workstation administrator group.
>> > I have read several articles on how to do it but it is confusing to me.
>> > My questions:
>> > can I use my current custom gp and just add the restricted group there
>> > or
>> > will it override the other restrictions in the gp for the users that I
>> > add
>> > to
>> > the restricted group?
>> > Can you give me the steps to set this up. (when I tried the other
>> > articles
>> > steps I couldn't browse to the local administrators group to add it as
>> > the
>> > restriction point. In other words, I don't know how to tell the
>> > restricted
>> > group to be related to the local admins group)
>> > Also, under restricted gp the icon has a lock picture on it. What does
>> > this
>> > mean?
>> > Sorry, the restricted groups process hasn't clicked for me yet? I know
>> > I
>> > could use this for other things also but just can't seem to understand
>> > the
>> > process.
>> > Thanks in advance for any help,
>> > Sher
>> >
>> >
>>
>>
>>
.
- References:
- restricted groups for local admin rights
- From: Sher
- Re: restricted groups for local admin rights
- From: Steven L Umbach
- Re: restricted groups for local admin rights
- From: Sher
- restricted groups for local admin rights
- Prev by Date: GPO aint working
- Next by Date: Re: restricted groups for local admin rights
- Previous by thread: Re: restricted groups for local admin rights
- Next by thread: Re: restricted groups for local admin rights
- Index(es):
Relevant Pages
|
