Re: Restricted group functionality

What should I do if someone remove the domain admin group and I want it to
be maintain. Is it possible with that GPO?

"Cary Shultz" <cwshultz@xxxxxxxx> a écrit dans le message de news:
%23V4eNBD%23GHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Francois,

By "fix" I mean this MSKB - http://support.microsoft.com/?id=810076.

It simply changes the default behavior of the Restricted Groups GPO from a
"flush and load" - as I call it - to a "append to". And, since this is a
GPO that affects the computer side of things you would have to make sure
that the computer account object(s) in question are located in an OU
(well, Site or Domain as well) to which this GPO is linked....that is how
you would tell that the computer account object T111 has only xxx\admracf
as a member of the local Administrators group.

--
Cary W. Shultz
Roanoke, VA 24012

"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:em1RoSC%23GHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
Which fix?
I saw a fix but it was for XP SP1 and we are SP2 so I presume everything
will be fine.
Yes, we are targeting the administrator group. We have an inventory of
all contents of all administrator group in our organisation and then I
hope to not forget anything.

If I want to be sure xxx\admracf might be in the local administrator
group and I want to add it on the computer T111, how will I need to
specify it in my restricted group.

--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________

"Cary Shultz" <cwshultz@xxxxxxxx> a écrit dans le message de news:
eIzeANC%23GHA.4524@xxxxxxxxxxxxxxxxxxxxxxx
Good morning!

I have found that a lot of people try to do this on a Domain Controller
and they have a problem with the "local groups" part. Since there are
no "local groups" on a Domain Controller (well, just leave it at
that...) making use of the Restricted Groups can be a bit more difficult
than necessary.

Now, if you do this on a Window 2000 or Windows XP client (running the
GPMC) there should be no problems.

I know that the poster is talking about moving the computer account
objects between OUs (not sure why....you are *supposed* to set up the OU
structure and then leave it along....).

Also, so that the poster is aware: be careful with restricted groups.
The default behavior is to flush the contents of the "desired group" and
to replace it with whatever you specify in the GPO. If your "desired
group" is the local Administrators group then be sure to include the
Domain Admins in your GPO. Otherwise, have fun.....

There is a fix to this. MS released a patch that you can get from
MS-PSS (no charge). Just make sure that you get the right one. There
is one for WIN2000 clients and there is one for WINXP clients. This
patch must be installed on all systems (Domain Controller as well) to
work. What it does is change the default behavior....the use of
restricted groups will simply add to your "desired group".

--
Cary W. Shultz
Roanoke, VA 24012

"Florian Frommherz" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:uqZSUdA%23GHA.3644@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!

François Racine wrote:
If I am applying the restricted group to an OU, the restricted group
will apply correctly and accounts we don't want will be remove. But
if we are moving the computer account to a different OU then the
accounts we don't want will be back? Any explanations? Any suggestions
to make those accounts remove indefinitely.

Why would you move the computers to another OU? Just leave it in the OU
the GP is applied to - or link to GP to an upper OU to have it still
working.

How did you configure your Restricted Groups? Were you using the
"Members of this group.." or "This group is member of..." section?

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.








.

Relevant Pages

  • Re: Restricted group functionality
    ... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted group functionality
    ... That is part of the beauty of this GPO. ... It simply changes the default behavior of the Restricted Groups GPO from ... sure that the computer account objectin question are located in an OU ... as a member of the local Administrators group. ...
    (microsoft.public.windows.group_policy)
  • Re: Administering OUs
    ... IF You set this settings in ... >GPO on the OU level and then define in this GPO that in ... DOmain Admins can be a member of local administrators group ... restricted groups are proper solution for this problem. ...
    (microsoft.public.win2000.active_directory)
  • Re: Computer Management Security Problem
    ... you're using Restricted Groups in Group Policy to add the Domain ... Users group to the Administrators group? ... either using the Default Domain GPO or a GPO at the domain level to ... Users to the local Administrators group on your workstations, ...
    (microsoft.public.win2000.security)
  • impact of xp gpo on w2k
    ... I created a gpo that sets restricted groups within the local pc ... placed in the local administrators group. ... i changed restricted groups. ...
    (microsoft.public.win2000.group_policy)
Loading