Re: Add additional domain group to local admins groups?

If your machines are all at the current service pack level then a fix is
not needed. Reread the KB you referenced, as it does tell you how
to do what you are after. Just keep in mind that it is not saying directly
but assuming that you understand that to add a group to Administrators
on machines of an OU you are NOT defining Administrators as a
Restricted Group in an OU impacting that OU, but rather you ARE
defining the group to be added to the machine local Administrators
group as a Restricted Group and you are only using the Member Of
(as opposed to Members) settings in the Restricted Group definition.
Reread the KB, it does tell you how, although the language is a little
"strange" in places ("This group is linked to an OU-level GPO"), and
is also unclear in some statements ("If you create multiple Restricted
Groups policies for the same group in multiple GPOs, only one policy
will take effect." umm - actually depends on where linked) if you
compensate some and follow the examples you should be able to
figure it out.

"Valkan" <spam#npspam.com> wrote in message
news:FZadnZGBdeChrr_ZnZ2dnUVZ_tGdnZ2d@xxxxxxxxxxxxxx
Is using "restricted groups" the only way to automate adding additional
groups other than just "domain administrators" to the local administrators
on all domain workstation?
We would like to have a group with members that are local admins on all
workstations and also have the right to add and remove machines names to
the domain, but not be domain admins.

I have heard that there is some hotfix that was needed to prevent
restricted groups created from a GPO from flushing out the existing local
admins on the machines.
I was told this is that patch even though it doesn't actually say on the
page that's what it does.
http://support.microsoft.com/default.aspx?kbid=810076

We need to add new default local admins without removing the local admins
already on the machines (assigned users need to keep their admin rights in
order to run some apps on their PCs).
Would that hotfix have to be run on every machine on the domain or only on
the machine that was used to create the GPO?




.

Relevant Pages

  • Re: Computer Management Security Question
    ... And the GPO with this restricted group definition ... > No, they are not domain administrators, they only administrators on their ... own machines. ... >> Sounds like you made your users domain admins instead of admin of their ...
    (microsoft.public.windows.server.security)
  • GPOs and Security
    ... I am trying to figure out how to give my administrators in the field ... 2- Create a GPO ... or groups that were specified in the GPO inside the local admins ... didn't have users who required admin rights to their machines. ...
    (microsoft.public.win2000.security)
  • Re: Installing Software without being Local Admin?
    ... Some of you may remember back in June I posted a topic entitled 'Network Computer Games on Business Machines' which detailed the problem we were having with some of our users installing software & games on their machines, as they were local admins. ... So I need to find someway of allowing users to install fix packs/re-install the software, without giving them full local admin access. ...
    (microsoft.public.security)
  • Re: Group Policy and Local Administrator
    ... > users on their local machines. ... > maintain these users as local admins on their machines only, ... > making them power users on other computers on the network. ...
    (microsoft.public.win2000.active_directory)
  • Re: Rename Workstation Accounts
    ... If users logon to the domain, and they are local admins of the machines, you ... For instance I disable a control panel ... >> with the standard naming convention are being changed. ...
    (microsoft.public.windowsxp.security_admin)