Re: localgroup administrators

From: "neo [mvp outlook]" <neo@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 28 Apr 2007 13:06:58 -0700

I agree with your post, but based on the other posts it isn't clear what
Yvonne wants to do. I took the original post at face value of "set a group
policy to remove domain users and only add domain admins to local group
administrators on workstations", which translates in my brain as a full
reset where the only 2 members of the local administrators group is
built-in\administrator and Domain Admins. So I stand by my original answer
of restricted group policy until such time as Yvonne clarifies what the end
result should be.

/neo

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ek11r5IiHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx

"neo [mvp outlook]" <neo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:erKl6QGiHHA.4064@xxxxxxxxxxxxxxxxxxxxxxx

In a Windows 2003 domain, I would use a restricted groups GPO. Since you
didn't mention SP levels of operating systems involved, take a peek at:
http://support.microsoft.com/kb/228496
http://support.microsoft.com/kb/810076

That is probably not workable in this case, since poster must remove
specific domain users from membership, but likely does not want to
remove all local accounts (which may vary per machine).
If poster wants precisely the same membership in Administrators
group of all machines under sway of each GPO, then yes, this route
would work.

"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx

I need to set a group policy to remove domain users and only add domain
admins to local group administrators on workstations. Mixed xp and 2000
environment. W2k3 server. I am trying to use net localgroup
administrators
/add and /delete.
Using a startup script with only test computers having read access. What
variable can I use for the domain users, and will this work? Is there a
script for this?

Follow-Ups:
- Re: localgroup administrators
  - From: Roger Abell [MVP]

References:
- Re: localgroup administrators
  - From: neo [mvp outlook]
- Re: localgroup administrators
  - From: Roger Abell [MVP]

Prev by Date: GPO Reinstall
Next by Date: Re: localgroup administrators
Previous by thread: Re: localgroup administrators
Next by thread: Re: localgroup administrators
Index(es):
- Date
- Thread

Relevant Pages

Re: local security group into local Administrator group
... > to have non-standard domain users with Administrative privileges. ... > Restricted Groups by having it add a local security group to the local ... > Administrators group (add the local group but not specify the ... > of Administrators in the GUI and in "net localgroup Administrators" ...
(microsoft.public.windows.group_policy)
RE: Permissions
... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ...
(microsoft.public.win2000.security)
Re: SBS 2003 Premium Setup of end users.
... In the Local Users & Groups | Groups | Administrators ... I saw an entry for domain users and I deleted it. ... SBS needs a user to have local admin permissions on the workstation to ... That hard drive currently resides on the Workstation1 unit as a spare ...
(microsoft.public.windows.server.sbs)
Re: Admin right for station
... You could add "NT Authority\Interactive" to the local Administrators ... This is more secure than adding "Authenticated Domain Users", ... It runs under the system context and has admin rights. ...
(microsoft.public.windowsxp.security_admin)
RE: GPO for local admin right?
... you have to logon as a local administrator on your ... client computer. ... To add domain users as a local administrator, you have to manually do it on ... Expand Groups and double click Administrators. ...
(microsoft.public.windows.server.sbs)