Re: Adding Local Administrators Using Group Policy

From: "kj" <kj@xxxxxxxxxxx>
Date: Tue, 7 Mar 2006 14:35:51 -0700

This is the nature of restricted groups. Sometimes this result is desirable
and sometimes it is not.

Until you remove the GPO settings, any non restricted group members will be
removed from the group.

You can add one-offs back to the local Administrator group with a script or
using cusrmgr from the 2k reskit.

--
/kj
"AndyG" <AndyG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:58CFE2D4-C2FF-412A-B426-AC7A376AF55D@xxxxxxxxxxxxxxxx

I'm running into a problem with adding local administrators to my
workstations OU. I created the administrator group in 'Restricted Groups'
under Computer Configuration>Security Settings. Although it worked and
pushed the Domain Admin group as an local administrator, it also removed
any
IDs that were present. We have some PCs were the user needs to be local
admin, so we would add the individuals on a add-needed basis. Now any
individuals we've added or add gets overwritted by group policy after
reboot.
Is there another setting that will allow individual IDs that aren't being
pushed by GP to stay? Or is there a better way to get Domain Admins to
the
local admin group?

Thanks

AG

Prev by Date: GPO Set Permissions on Admin Shares
Next by Date: Re: GPO Set Permissions on Admin Shares
Previous by thread: GPO Set Permissions on Admin Shares
Next by thread: Re: Adding Local Administrators Using Group Policy
Index(es):
- Date
- Thread

Relevant Pages

Re: The following updates were not installed
... >> The user rights that are required by Update.exe ... >>> Administrator of this local machine. ... > and not the 'domain-level settings'? ... you would have to log on as a Domain Admin in order to do that (again, ...
(microsoft.public.windowsupdate)
Re: Security Filtering does not work correctly in GPO
... Deny apply only. ... where the domain admin was logged on. ... the settings in the "User Group Policy" were gone. ... "Scope-Setting" in the Group Policy object. ...
(microsoft.public.windows.server.active_directory)
Re: Preventing Users from removing their PC from the Domain
... Steven L Umbach wrote: ... purpose and understand that Restricted Groups can remove all existing ... simply be removing the Restricted Group, Group Policy setting. ... you are logged on as a local administrator. ...
(microsoft.public.win2000.security)
Re: Help in logging on to the system
... >> What I did is changing the settings in my professional computer under ... > You need to to know a local account on the PC to be able to log on locally. ... > Your work's domain admin will need access to this local admin account ... > If no-one knows the local Administrator account password, ...
(microsoft.public.windowsxp.network_web)
Re: Local Printer Access
... > You can force a user into a local group via group policy using restricted ... > Restricted Groups Policy Settings ... > Members and Member Of. ... > Stand-Alone Server Default Settings ...
(microsoft.public.windows.server.active_directory)