Local Group Recursion, Creation, and GP

I have hundreds of embedded systems spread across a college campus. I
administer them largely by Group Policy. Our Group policy administration was
quirky with many rights needing to be set, many issues solved, and hence
many bugs created when creating policies or discovering changes in policies
that needed to be propagated to other policies. Some systems have a distinct
local groups needing access to functions for that machine only.

All this is made much harder by manufacturers of many embedded systems
requireing Admin rights for their software to run. We also have need to
manage rights for different brands of low-bid systems, and their factory
reps, to work across campus.

All this was made easier [we thought] by creating a standard group policy
for embedded systems. It included references to two local groups:

System Specialists
Local System Operators.

We made both of these members of Administrators (so they could run the
software). We also created these groups by script. Two reboots puts the plan
into place. The first re-boot runs the script and creates the groups. The
second group places the groups into "Administrators" if they exist. The
group shows up in the UI with an appropriate "group" symbol next to it.

The standard policy also prevents anyone not in one of these groups from
logging in - an important thing to do with PCs in the closet on a college
campus.

We then have rather simple policies for each class of equipment (with
different maintenance personnel) and each brand of equipment (with different
contractors).

For example, I can take HVAC Equipment made by Honeywell and apply a group
policy that does no more than make the RequiredGroup System Specialists
contain

"DOMAIN\HVACTechs"
"DOMAIN\HoneywellTechs"

Looking at the UI, this looks like it works. The only problem is, the system
never allows members of System Specialists to log in. And it never thinks
they are members of Administrators.

How can I solve this? Is there a way to enable recursive processing for
members of local groups?

thanks

tc
________________________________

"Computers are useless. They can only give you answers." -- Pablo Picasso
________________________________

Toby Considine
Facilities Technology Office
University of North Carolina
Chapel Hill, NC

mail: Toby.Considine @ unc.edu
Phone: (919)962-9073
http://www.newdaedalus.com



.

Relevant Pages

  • Force Periodic Authentication
    ... contents of the local Administrators group. ... etc. So we came up with a web form that employees can use ... expire the elevated rights after the given time frame, ... the group policy will refresh on the local PC. ...
    (microsoft.public.windows.group_policy)
  • Re: can built-in user rights be changed?
    ... Domain and any OU group policy applied ... to a machine will override local policy settings. ... > What defines the rights given to a built-in user account, ... > Administrators and Domain Users both log in under the 'Default Domain ...
    (microsoft.public.win2000.security)
  • Group Policy changes have locked all accounts from admin tasks
    ... permissions and rights for the User in that policy. ... The problem is that the Group Policy somehow got assigned to all of the ... users in the Active Directory, including the domain/system administrators. ...
    (microsoft.public.win2000.active_directory)
  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: user and administrator policies
    ... All you really need to do is give "administrators" deny for apply. ... Be sure to install Group Policy Management Console on your domain controller ... FYI Windows 2003 and XP Pro can use Software Restriction Policies managed ... > administrators mchs\administrators deny group policy ...
    (microsoft.public.win2000.security)