Re: localgroup administrators

"neo [mvp outlook]" <neo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OJX$HDdiHHA.4812@xxxxxxxxxxxxxxxxxxxxxxx
I agree with your post, but based on the other posts it isn't clear what
Yvonne wants to do. I took the original post at face value of "set a group
policy to remove domain users and only add domain admins to local group
administrators on workstations", which translates in my brain as a full
reset where the only 2 members of the local administrators group is
built-in\administrator and Domain Admins. So I stand by my original answer
of restricted group policy until such time as Yvonne clarifies what the end
result should be.

/neo


Well yes, I can agree with that point of view.

I think what threw me off (besides experience of usually needing
some per-box member of Administrators beyond DA and built-in)
was that the attempt was to only remove something from the group.

Anyway, original poster now has more than sufficient info to
go this way or that.

Roger




"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ek11r5IiHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx
"neo [mvp outlook]" <neo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:erKl6QGiHHA.4064@xxxxxxxxxxxxxxxxxxxxxxx
In a Windows 2003 domain, I would use a restricted groups GPO. Since
you didn't mention SP levels of operating systems involved, take a peek
at:
http://support.microsoft.com/kb/228496
http://support.microsoft.com/kb/810076


That is probably not workable in this case, since poster must remove
specific domain users from membership, but likely does not want to
remove all local accounts (which may vary per machine).
If poster wants precisely the same membership in Administrators
group of all machines under sway of each GPO, then yes, this route
would work.


"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx
I need to set a group policy to remove domain users and only add domain
admins to local group administrators on workstations. Mixed xp and 2000
environment. W2k3 server. I am trying to use net localgroup
administrators
/add and /delete.
Using a startup script with only test computers having read access.
What
variable can I use for the domain users, and will this work? Is there a
script for this?








.

Relevant Pages

  • Re: Error installing SBS SP1 - Admin Groups
    ... Administrators ... > Enterprise Admins ... > Then you've added a membership under one of those that is denying you. ... >> Domain Admins ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Premium Setup of end users.
    ... In the Local Users & Groups | Groups | Administrators ... I saw an entry for domain users and I deleted it. ... SBS needs a user to have local admin permissions on the workstation to ... That hard drive currently resides on the Workstation1 unit as a spare ...
    (microsoft.public.windows.server.sbs)
  • Re: Admin right for station
    ... You could add "NT Authority\Interactive" to the local Administrators ... This is more secure than adding "Authenticated Domain Users", ... It runs under the system context and has admin rights. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why Does WHOAMI /GROUPS Not Show Domain Users Membership?
    ... Domain Users designated as their "primary", ... decision long ago to not include "primary" group membership in the memberOf ... other group in the ACL. ... Permission to access file system objects that are accessible to any domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Why Does WHOAMI /GROUPS Not Show Domain Users Membership?
    ... Domain Users designated as their "primary", I believe Microsoft made the ... decision long ago to not include "primary" group membership in the ... WHOAMI /GROUPS because they didn't get around to it? ...
    (microsoft.public.windows.server.active_directory)