Re: Restricted group implementation
- From: "T. Uranjek" <toniuranjek@xxxxxxxxxxx>
- Date: Thu, 2 Nov 2006 19:50:55 +0100
Hi François!
I'm having hard time to understand your problem. If you are trying to
control membership of local Administrators group through Restricted groups,
then you shouldn't move computer accounts to different OUs once GPO are set.
I do not understand what is "actual member list" or "oldmembers"?
Toni
"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:enIqrkr%23GHA.4268@xxxxxxxxxxxxxxxxxxxxxxx
Yes you understand.
If I query WMI about local administrator member will I get the removed
account or the actual members list? Where are the info stores to being
able to bring back the old members?
--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________
"T. Uranjek" <toniuranjek@xxxxxxxxxxx> a écrit dans le message de news:
uZEn5im%23GHA.4544@xxxxxxxxxxxxxxxxxxxxxxx
Hi!
Sorry I didn't understand your last post. Are you talking about moving
computer accounts from OU where policy applies to OU where policy does
not apply. If yes, this is normal GPO behaviour. Computer (or usser)
account has to be in an OU to which is GPO linked, for GPO to work. You
can link GPO also anywhere higher in your OU hierarchy and it would still
apply.
Toni
"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:%23NuYKvh%23GHA.2340@xxxxxxxxxxxxxxxxxxxxxxx
I am a scripter and I don't see any problem. But my boss prefer the GPO.
If the Gpo is removing the information from the group. When I am moving
the computer to a different OU then the removed account is back. So
where was store the removed accounts???
--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________
"T. Uranjek" <toniuranjek@xxxxxxxxxxx> a écrit dans le message de news:
OBK0Fse%23GHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Hi!
Maybe you should check scripting newsgroup for scripting solution. If
you find solution please, let me know.
Toni
"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:O4iSBhe%23GHA.1784@xxxxxxxxxxxxxxxxxxxxxxx
Not true. You can write your "policy" in a text file then run a
vbscript and read what is inside the text file and then do what you
want to do.
"T. Uranjek" <toniuranjek@xxxxxxxxxxx> a écrit dans le message de
news: ukAWNOe%23GHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Hi!
Unfortunately restricted groups policies are usefull for setting the
same group membership for more than one computer. Even if you would
try find scripting solution you would face the same problem. Scripts
would be different for different users. I am affraid that you will
have to do this manually, unless somebody else comes up with better
solution.
Toni
"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:O1WMEld%23GHA.924@xxxxxxxxxxxxxxxxxxxxxxx
Yes it is. Isn't it the way to deploy the restricted group?
If you have an organisation with thousands of clients then you have
3% of your customers who needs local admin rights. You will not
want them to be administrator on all computers but just their own.
How would you manage that?
"T. Uranjek" <toniuranjek@xxxxxxxxxxx> a écrit dans le message de
news: %23222JCb%23GHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
Hi!
Maybe I've misunderstood your question. UserC wasn't mentioned
before. Are you trying to do this:
Computer T1-->Domain\UserA is local administrator+Domain
Admin+Administrator
Computer T2-->Domain\UserB is local administrator+Domain
Admin+Administrator
Computer T3-->Domain\UserC is local administrator+Domain
Admin+Administrator
Computer T4-->Domain\UserD is local administrator+Domain
Admin+Administrator
Computer T5-->Domain\UserE is local administrator+Domain
Admin+Administrator
etc.
If your answer is yes, I'm afraid there is no easy way to achieve
your goal, because your trying to set Restricted Groups policy per
computer.
Toni
"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:u2brO2a%23GHA.4524@xxxxxxxxxxxxxxxxxxxxxxx
Security filtering?
But with the first option UserA, B and C will be administrator on
all computers in this OU? It will be a security problem?!
--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________
"T. Uranjek" <toniuranjek@xxxxxxxxxxx> a écrit dans le message de
news: ucJnQKX%23GHA.4376@xxxxxxxxxxxxxxxxxxxxxxx
Hi!
First condition is met by default. For the other two you can
create two separate OUs (and GPOs) under current OU, or use
security filtering and keep all computer accounts in the same OU.
First option is less complicated and more transparent.
HTH
Toni
"François Racine" <Francois.Racine@xxxxxxxxxxx> wrote in message
news:%23vH1SlW%23GHA.1784@xxxxxxxxxxxxxxxxxxxxxxx
We are looking to implement the restricted group (for the local
group administrator).
Following an example:
For all local administrator group: Domain Admin and
Administrator Account
Computer T1--> Domain\USERA is local administrator+Domain
Admin+Administrator
Computer T2-->Domain\UserB is local administrator+Domain
Admin+Administrator
Computer T3-->Domain\USerB is local administrator+Domain
Admin+Administrator
All computers are in the same OU.
How should the restricted group being implemented?
--
_________________________________________
François Racine
ICQ#: 36826607
More ways to contact me: http://wwp.icq.com/36826607
_________________________________________
.
- Prev by Date: Re: Take A Tour ADM
- Next by Date: Windows Time Service GPol Settings ... Reference
- Previous by thread: Re: Take A Tour ADM
- Next by thread: RE: Restricted group implementation
- Index(es):
Relevant Pages
|
