Re: localgroup administrators

True. In most cases where I have implemented restricted groups it has lasted a little while and then someone comes up and says, hey we want Bob to be a local admin on these 5 machines and not the rest and alice to be local admin only on her machine, etc..

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:eo708PaiHHA.872@xxxxxxxxxxxxxxxxxxxxxxx

"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:E1E8A67D-0B85-426F-80C8-25D3717A23A3@xxxxxxxxxxxxxxxx
Is your Domain Win2k? You could use a restricted groups policy, but I'm not sure that it works on Windows 2000.


It does, and the ability to use only the Member Of list also does
if it is W2k Sp4.

However, I do not believe this is a viable solution. As I attempted to
describe in other post this thread, using the Members list of restricted
group definition replaces the complete and total membership on the
impacted system. This is in my experience more often that not a non-
useful capability as one often needs per-machine uniquenesses.

But you are correct, if poster simply wants to reset the membership
of the machine local Administrators group on many machines to the
exact same membership on them all, then yes, restricted groups would
work for that purpose.

Roger

Here is an article that implies that it does
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx
I need to set a group policy to remove domain users and only add domain
admins to local group administrators on workstations. Mixed xp and 2000
environment. W2k3 server. I am trying to use net localgroup administrators
/add and /delete.
Using a startup script with only test computers having read access. What
variable can I use for the domain users, and will this work? Is there a
script for this?




.

Relevant Pages

  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to ... local admin only on her machine, ... if poster simply wants to reset the membership ... of the machine local Administrators group on many machines to the ...
    (microsoft.public.windows.group_policy)
  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to be ... local admin only on her machine, ... if poster simply wants to reset the membership ... admins to local group administrators on workstations. ...
    (microsoft.public.windows.group_policy)
  • Re: Local Machine Rights thru Group Policy
    ... You may want to look into using Restricted Groups to use at the OU level to ... enforce membership of local groups on computers in that OU. ... to those OU machines power users on any machine in that OU they logon to. ...
    (microsoft.public.win2000.group_policy)
  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to be ... local admin only on her machine, ... if poster simply wants to reset the membership ... admins to local group administrators on workstations. ...
    (microsoft.public.windows.group_policy)
  • Re: Global Account for Installing Software
    ... You could create a sub-ou within the main ou for these machines and use ... restricted groups to delegate a subadmin to manage these machines. ... If you want them to be local admins so they can perform maintenance than you ...
    (microsoft.public.windows.server.active_directory)