Re: Restricted Groups and Power Users
- From: Joe <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Oct 2007 07:14:06 -0700
Roger,
Thanks again for the reply. I forgot about the RSOP so I will look at that.
I have also created a policy to control the Power Users group to avoid this
problem in future. A couple of our applications require that the users by
Power Users.
Thanks for the help.
Joe
"Roger Abell [MVP]" wrote:
Hi Joe,.
From what you have stated you are taking complete control
over the machine local Administrators group of computers
within scope of that GPO. That GPO is not affecting the
Power Users group at all. Your cause must be elsewhere.
Have you tried moving a computer where this is happening
out from the scope of the new GPO, or running resultant
policy on one to try to see what it is that is affecting the
membership of the Power Users group? What you have
stated is all correct provided you do want to do such as
remove the machine local built-in Administrator and all
other machine local accounts from Administrators (note
that the first cannot really be done). What I suggest is that
you also use the computer policy to rename the local builtin
Administrator account (so it has a know name) and then
add this to the member-of list in your restricted group def.
As an aside, the distinction between Power Users and
Administrators is very thin, and easily breached. Making
your users Power Users is at best marginally better than
just making them Administrators. A user wanting to could
fairly easily find code to make themself a full admin.
Roger
"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5EFD7AEA-B896-4E09-9D03-1E1072090D9B@xxxxxxxxxxxxxxxx
Roger,
Thanks for the reply. I will try to explain how I created the GPO. If
there is an address I can send screen shots I'm happy to do that as well.
1) created a GPO called "Local Admin Policy Wkstn".
2) in the GPO, navigated to Computer Configuration/Windows
Settings/Security
Settings/Restricted Groups.
3) added a group called "Administrators"
4) in Properties, I added the AD group "Local_PC_Admin_Wkstn" to "Members
of
this group". The field "This group is a member of:" is empty.
5) linked the GPO to the OU company/org/computers.
6) enabled the GPO for the linked OU.
7) set Security Filtering to include Domain Users, Authenticated Users,
and
System.
8) in the AD group 'Local_PC_Admin_Wkstn" I added the group "ERP Users"
and
the group "Domain Admins".
That's it. When it was enabled, the existing Local Admin users were
removed
and the group "Local_PC_Admin_Wkstn" was added as expected. However, the
helpdesk reports that users are being removed from the Power Users group
each
time group policies are enforced.
Did I miss something in all this?
Thanks,
Joe
"Roger Abell [MVP]" wrote:
You probably need to tell us what you did in the GPO.
A restricted group definition for Administrators will not
have any impact on the membership of any other group
except Administrators and groups in its "member of" list.
"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DCA4FA87-E145-4D27-99D4-C9F611A2BB40@xxxxxxxxxxxxxxxx
I recently implementd a Restricted Groups GPO to control who has local
admin
rights on workstations. The GPO worked OK, but it seems to have
affected
the
Power Users group as well. Users that were members of their local
Power
Users group no longer appear in that group. Does anyone know why my
GPO
would affect this group as well?
Thanks,
Joe
- References:
- Re: Restricted Groups and Power Users
- From: Roger Abell [MVP]
- Re: Restricted Groups and Power Users
- Prev by Date: Re: How to remove "extra registry settings" showing in GPO? (memory lapse) (communicator 2005)
- Next by Date: Re: Change Local Admin Password with GPO?
- Previous by thread: Re: Restricted Groups and Power Users
- Next by thread: Re: Group Policy Aborted
- Index(es):
Relevant Pages
|
