Re: Local Admin
From: Todd J Heron (todd_heron_no_spam_at_hotmail.com)
Date: 09/20/04
- Next message: anonymous_at_discussions.microsoft.com: "Re: Pls, help me, SYSVOL deleted !!!"
- Previous message: Todd J Heron: "Re: Domain Users Properties"
- In reply to: Cary Shultz [A.D. MVP]: "Re: Local Admin"
- Next in thread: MartinHTN: "This can be done easily via GPO"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Sep 2004 11:54:47 -0400
This posting is provided "AS IS" with no warranties, and confers no rights.
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:%23goFzdxnEHA.3992@TK2MSFTNGP15.phx.gbl...
> Yes, this is the way to do it. You would want to use the Restricted Group
> GPO. But, there are two things that you need to be aware of before
> continuing:
>
> 1) with the Out-of-the-Box configuration the use of this GPO will flush
the
> current users and groups from the local Administrators group and then
place
> the group that is your focus in the local Administrators group. So, it is
a
> 'wipe and load'-type situation. I do not know about you but I would
really
> like the Domain Admins group to be a member of each and every WIN2000 and
> WIN XP Pro system in my environment. So, in addition to your 'focus'
Group
> you might want to include the Domain Admins group.....
>
> 2) you really want to pay attention to the warning in step three!
>
> In reference to point 1)....there is a work around. You would need to
call
> MS-PSS and get both patches ( one for the WIN2000 systems and one for the
> WINXP Pro systems ) and install that patch on each and every machine.
Once
> you do this the processing of the Restricted Groups GPO is altered to
simply
> add your 'focus' group. So, if Yourdomain\Support and Yourdomain\Domain
> Admins and Yourdomain\JBlow are currently members of the local
> Administrators group ( either on all or on some of your systems ) they
will
> remain members. There would simply be a new addition, namely,
> Yourdomain\focusgroup.
>
> Also, you might want to do a search through the newsgroups before posting
a
> question. This is asked quite often. But no biggie.
>
> HTH,
>
> Cary
>
>
> PS. Here is the link to the patch:
http://support.microsoft.com/?id=810076
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:%23utd6zvnEHA.2680@TK2MSFTNGP15.phx.gbl...
> > You can do this with the Restricted Groups function of Group Policy:
> > -- http://support.microsoft.com/?id=279301
> >
> >
> > --
> >
> >
> > Paul Williams
> > _______________________________
> > http://www.msresource.net
> >
> >
> > Join us in our free, public forum:
> > http://forums.msresource.net
> > _______________________________
> > "Keith" <@.> wrote in message
> news:e4t6KqvnEHA.3876@TK2MSFTNGP15.phx.gbl...
> > Is there any way with GPO to make it so that whatever machine a
particular
> > user/group logonto they are granted local administrator rights?
> >
> > I don't want to have to go round every machine manually adding them.
"1) with the Out-of-the-Box configuration the use of this GPO will flush the
current users and groups from the local Administrators group and then place
the group that is your focus in the local Administrators group. So, it is a
'wipe and load'-type situation. I do not know about you but I would really
like the Domain Admins group to be a member of each and every WIN2000 and
WIN XP Pro system in my environment. So, in addition to your 'focus' Group
you might want to include the Domain Admins group....."
I previously ran into the unintended side-effect of this one myself!!!
:-)
-- Todd J Heron, MCSE Windows 2003/2000/NT
- Next message: anonymous_at_discussions.microsoft.com: "Re: Pls, help me, SYSVOL deleted !!!"
- Previous message: Todd J Heron: "Re: Domain Users Properties"
- In reply to: Cary Shultz [A.D. MVP]: "Re: Local Admin"
- Next in thread: MartinHTN: "This can be done easily via GPO"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
