Re: Local security group
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 14 Oct 2006 06:38:03 -0700
Hi Mark,
Well, I do not know what means
domain account a member of the local restricted user accountbut if that is some group in which their account is made member
then that also could be guaranteed through use of restricted groups
What I outlined should work for you with the environment you
have now described. Since I do not know what being a member
of the local restircted user account is meaning, I will assume it is
a group that is defined on each client machine, not a domain group.
In a new GPO linked to the OU that contains the XP client machines
Set the name of the XP built-in adm account, say to Turkey
Define three restricted groups
name Administrators
use members list to state Turkey and Domain Admins
name Domain Users
use the members-of list to state Users
leave the members list alone/empty
name "restricted users group"
uses members list to state Domain Users
Make sure that the Computer part of this new GPO is
enabled and then after it has applied each XP client
should have
1. Administrators group containing only Turkey and Domain Admins
2. Users group containing at least Domain Users
3. "local restricted group" containing only Domain Users
"Mark Bowles" <MarkBowles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D37A6677-2F5A-4E2F-AE60-31EB71209770@xxxxxxxxxxxxxxxx
Roger,
The environment is SBS2K3(sp1) with XP workstations (sp2). We have users
that have their domain userid's as a member of the local administrators
group
on their workstation. If I remove them from the local administrators group
and have their domain account as domain user when they login using their
domain account what rights will they have? The other option is to use a
group
policy to make their domain account a member of the local restricted user
account. That setting we have tested and know that it gives the users
enough
rights to run their programs.
I have tested using a Restricted Group definition in a GPO linked to OU
containing the client machines but its not working and I am sure its
because
I don't have it setup correctly.
Thanks for any help you can offer.
Mark
"Roger Abell [MVP]" wrote:
Well, this sort of depends on just what environment you
have and what you mean by changing them all to the
restricted local security rights.
If you have a domain, then using a Restricted Group
definition in a GPO linked to OU containing the client
machines
In this GPO
1. use the policy to rename Administrator, such as to Donkey
2. define Administrators as a Restricted Group that has
as its members Domain Admins, and Donkey
Then, no domain or machine local accounts would be
members of Administrators on machines in that OU once
the GPO applied.
Now, I assume that they are all already members of Users
on those machines so that this would them leave them as
limited users (i.e. members of at most Users group)
Roger
"Mark Bowles" <MarkBowles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A85FDACD-52CA-41BF-A608-2E8FC62201B9@xxxxxxxxxxxxxxxx
I have a client we have been testing restricted user local rights with
all
of
there apps and it went well. I would like to use a group policy to
change
all
the workstations and their respective users to the restricted local
security
group. Can I do this using a group policy?
Thanks
.
- References:
- Re: Local security group
- From: Roger Abell [MVP]
- Re: Local security group
- Prev by Date: Re: Custom ADM templates not visible in GPO
- Next by Date: Re: Complex password setting refuses to go away!!
- Previous by thread: Re: Local security group
- Next by thread: Complex password setting refuses to go away!!
- Index(es):
Relevant Pages
|
