Re: localgroup administrators
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 3 May 2007 01:27:27 -0700
Yes, please indicate what it is you did.
Is the effect you are seeing just that some users now cannot
run applications they could previously (when their account
was in Administrators)? That very often is that some filesystem
area of the app, as in Program Files, does not allow write to the
Users group, or similarly in registry HKLM\Software\vendor\app
"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D339B28-BE77-427C-957B-E0B3255D3135@xxxxxxxxxxxxxxxx
OK, I have tested this and we found out that this interferes with some of
the
legacy apps. I had to disable the policy and links. However, is there some
residual settings here? It is still going into effect for some users.
"Roger Abell [MVP]" wrote:
"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3EA5841B-4C19-4019-9916-3E5A84C4A00A@xxxxxxxxxxxxxxxx
True. In most cases where I have implemented restricted groups it has
lasted a little while and then someone comes up and says, hey we want
Bob
to be a local admin on these 5 machines and not the rest and alice to
be
local admin only on her machine, etc..
Pretty much the same experience here. The attempt either gets dumped
or leads to a small explosion in single purpose GPOs targetting few
machines each. Just one of the shortcomings in the original GP design
capabilities (i.e. lack of a metalevel that gets specialized at apply
time
to handle the "everywhere conceptually the same, but actualized with
per-machine uniqueness"). Thankfully things are changing.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eo708PaiHHA.872@xxxxxxxxxxxxxxxxxxxxxxx
"Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1E8A67D-0B85-426F-80C8-25D3717A23A3@xxxxxxxxxxxxxxxx
Is your Domain Win2k? You could use a restricted groups policy, but
I'm
not sure that it works on Windows 2000.
It does, and the ability to use only the Member Of list also does
if it is W2k Sp4.
However, I do not believe this is a viable solution. As I attempted
to
describe in other post this thread, using the Members list of
restricted
group definition replaces the complete and total membership on the
impacted system. This is in my experience more often that not a non-
useful capability as one often needs per-machine uniquenesses.
But you are correct, if poster simply wants to reset the membership
of the machine local Administrators group on many machines to the
exact same membership on them all, then yes, restricted groups would
work for that purpose.
Roger
Here is an article that implies that it does
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx
I need to set a group policy to remove domain users and only add
domain
admins to local group administrators on workstations. Mixed xp and
2000
environment. W2k3 server. I am trying to use net localgroup
administrators
/add and /delete.
Using a startup script with only test computers having read access.
What
variable can I use for the domain users, and will this work? Is
there a
script for this?
.
- References:
- Re: localgroup administrators
- From: Yvonne
- Re: localgroup administrators
- Prev by Date: Re: WSUS GPO: Specify intranet Microsoft Update service location
- Next by Date: Enable USB mass storage after disable!?
- Previous by thread: Re: localgroup administrators
- Next by thread: Re: WSUS GPO: Specify intranet Microsoft Update service location
- Index(es):
Relevant Pages
|
