Re: localgroup administrators
- From: Yvonne <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 2 May 2007 11:27:02 -0700
OK, I have tested this and we found out that this interferes with some of the
legacy apps. I had to disable the policy and links. However, is there some
residual settings here? It is still going into effect for some users.
"Roger Abell [MVP]" wrote:
"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message.
news:3EA5841B-4C19-4019-9916-3E5A84C4A00A@xxxxxxxxxxxxxxxx
True. In most cases where I have implemented restricted groups it has
lasted a little while and then someone comes up and says, hey we want Bob
to be a local admin on these 5 machines and not the rest and alice to be
local admin only on her machine, etc..
Pretty much the same experience here. The attempt either gets dumped
or leads to a small explosion in single purpose GPOs targetting few
machines each. Just one of the shortcomings in the original GP design
capabilities (i.e. lack of a metalevel that gets specialized at apply time
to handle the "everywhere conceptually the same, but actualized with
per-machine uniqueness"). Thankfully things are changing.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eo708PaiHHA.872@xxxxxxxxxxxxxxxxxxxxxxx
"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1E8A67D-0B85-426F-80C8-25D3717A23A3@xxxxxxxxxxxxxxxx
Is your Domain Win2k? You could use a restricted groups policy, but I'm
not sure that it works on Windows 2000.
It does, and the ability to use only the Member Of list also does
if it is W2k Sp4.
However, I do not believe this is a viable solution. As I attempted to
describe in other post this thread, using the Members list of restricted
group definition replaces the complete and total membership on the
impacted system. This is in my experience more often that not a non-
useful capability as one often needs per-machine uniquenesses.
But you are correct, if poster simply wants to reset the membership
of the machine local Administrators group on many machines to the
exact same membership on them all, then yes, restricted groups would
work for that purpose.
Roger
Here is an article that implies that it does
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx
I need to set a group policy to remove domain users and only add domain
admins to local group administrators on workstations. Mixed xp and 2000
environment. W2k3 server. I am trying to use net localgroup
administrators
/add and /delete.
Using a startup script with only test computers having read access.
What
variable can I use for the domain users, and will this work? Is there a
script for this?
- Follow-Ups:
- Re: localgroup administrators
- From: Roger Abell [MVP]
- Re: localgroup administrators
- From: Jeremy
- Re: localgroup administrators
- Prev by Date: Re: W2K3 R2 is not logging/auditing failure events
- Next by Date: Re: WSUS GPO: Specify intranet Microsoft Update service location
- Previous by thread: Re: XP machine removed from domain still gets domain policy
- Next by thread: Re: localgroup administrators
- Index(es):
Relevant Pages
|
