Re: localgroup administrators

"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3EA5841B-4C19-4019-9916-3E5A84C4A00A@xxxxxxxxxxxxxxxx
True. In most cases where I have implemented restricted groups it has
lasted a little while and then someone comes up and says, hey we want Bob
to be a local admin on these 5 machines and not the rest and alice to be
local admin only on her machine, etc..


Pretty much the same experience here. The attempt either gets dumped
or leads to a small explosion in single purpose GPOs targetting few
machines each. Just one of the shortcomings in the original GP design
capabilities (i.e. lack of a metalevel that gets specialized at apply time
to handle the "everywhere conceptually the same, but actualized with
per-machine uniqueness"). Thankfully things are changing.


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eo708PaiHHA.872@xxxxxxxxxxxxxxxxxxxxxxx

"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1E8A67D-0B85-426F-80C8-25D3717A23A3@xxxxxxxxxxxxxxxx
Is your Domain Win2k? You could use a restricted groups policy, but I'm
not sure that it works on Windows 2000.


It does, and the ability to use only the Member Of list also does
if it is W2k Sp4.

However, I do not believe this is a viable solution. As I attempted to
describe in other post this thread, using the Members list of restricted
group definition replaces the complete and total membership on the
impacted system. This is in my experience more often that not a non-
useful capability as one often needs per-machine uniquenesses.

But you are correct, if poster simply wants to reset the membership
of the machine local Administrators group on many machines to the
exact same membership on them all, then yes, restricted groups would
work for that purpose.

Roger

Here is an article that implies that it does
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx
I need to set a group policy to remove domain users and only add domain
admins to local group administrators on workstations. Mixed xp and 2000
environment. W2k3 server. I am trying to use net localgroup
administrators
/add and /delete.
Using a startup script with only test computers having read access.
What
variable can I use for the domain users, and will this work? Is there a
script for this?






.

Relevant Pages

  • Re: Local Admin
    ... button you don't get the option for the local admin group. ... of just being able to do it for the one machines local ... >users or groups that need to be local administrators on ... >> control at my workplace. ...
    (microsoft.public.win2000.security)
  • Re: localgroup administrators
    ... In most cases where I have implemented restricted groups it has lasted a little while and then someone comes up and says, hey we want Bob to be a local admin on these 5 machines and not the rest and alice to be local admin only on her machine, etc.. ... if poster simply wants to reset the membership ...
    (microsoft.public.windows.group_policy)
  • RE: Helpdesk as local admin
    ... By default all users have the right to add 10 machines to the domain. ... group without giving them any other help desk level privilege. ... the help desk staff needs access to the local admin ... Local admin passwords on the laptops/desktops should certainly be ...
    (Security-Basics)
  • Re: SBS2003 Client Setup Wizard Problem
    ... On the problematic machines, I wonder if the Domain Users group ... any user logging into these machines can run the script (i.e, ... local admin group in order to succesfully run the client setup wizard ...
    (microsoft.public.windows.server.sbs)
  • Re: Restricted Groups Not Working
    ... "Notts-xpadmins" policy applied to the OU where the desktop machines are ... Used GPMC to create a policy that modified the membership of the "local ... When adding users to the "Administrators" group, ...
    (microsoft.public.windows.group_policy)