Re: Restricted Groups GPO
From: Matthew Swanson (mswanson75-noSPAM_at_yahoo.com)
Date: 08/03/04
- Next message: Akhlaq Khan: "delegating restricted control of active directory to junior network admin"
- Previous message: Irshard Zahir: "Trust"
- In reply to: ptwilliams: "Re: Restricted Groups GPO"
- Next in thread: Scott Lowe: "Re: Restricted Groups GPO"
- Reply: Scott Lowe: "Re: Restricted Groups GPO"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 2 Aug 2004 22:58:06 -0700
I know it's not as secure as restricted groups, but what about using a
startup script in a group policy that's linked to the OU(s) in question?
The startup script could add the required groups to the local admin group on
the computers. A user with local admin permissions on the box could
manipulate the local admin group membership so you need to keep this in mind
before you go with this solution. However, I think this might meet your
goal of being able to specify that X groups are always members of the local
admin group.
-- Matthew Swanson Windows 2000 MCSE "ptwilliams" <ptw2001@hotmail.com> wrote in message news:uUNdm6MeEHA.592@TK2MSFTNGP11.phx.gbl... > You dropped this question onto the bottom of another question on restricted > groups - I answered there. > > Basically what you are describing is the correct behaviour of restricted > groups. You restrict group membership. I know of no work arounds in the > way you want; but I've not looked into it. I've only used it to stipulate > what domain groups are members or what local groups - I didn't care that > nobody else could be a member ;-) > > -- > > Paul Williams > _________________________________________ > http://www.msresource.net > > > Join us in our new forums! > http://forums.msresource.net > _________________________________________ > > > "Scott Lowe" <me@privacy.net> wrote in message > news:2n7jtaFttg5sU1@uni-berlin.de... > I need to use the Restricted Groups policy setting to enforce > membership in the local Administrators group on member servers and > workstations by certain global groups (administration is being > decentralized via OUs--don't ask, it's a long story). However, there > is still a need for certain workstations to be able to manually add > people into the local Administrators group as well. Since the policy > enforces strict membership (accounts listed in the policy but that > aren't members are added, accounts that are members but aren't listed > in the policy are removed), this is impossible. > > Any suggestions as to a workaround? How can I specify that "at least" > certain groups are members without also specifying that no one else is > also allowed? > > -- > Scott Lowe > >
- Next message: Akhlaq Khan: "delegating restricted control of active directory to junior network admin"
- Previous message: Irshard Zahir: "Trust"
- In reply to: ptwilliams: "Re: Restricted Groups GPO"
- Next in thread: Scott Lowe: "Re: Restricted Groups GPO"
- Reply: Scott Lowe: "Re: Restricted Groups GPO"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
