Re: Group Policy and Local Admin rights

Not sure what you mean by precedence here. If you used Restricted Groups
feature of the GP to restrict membership in the Administrators group, then
no, membership on all affected computers will be set up according to what
has been defined in GPO.

I would recommend another solution for your picky application though. Most
picky applications require admin rights because:
1) They need to write files somewhere where normal users dont have Modify
NTFS permission
2) They need to modify certain registry entries which normal users can't
modify.
3) They need certain system privileges (such as "create permanent shared
objects"), but this is a rare case.

THe solution would be: use tools such as ntfilemon and ntregmon
(www.sysinternals.com) to find out these places in file system and registry,
and then configure NTFS and registry permissions (through GP, of course) so
that a certain group has modify permissions on these places. Then, simply
add users of your application into that group. Works fine, and much safer
than making them all admins.
As for #3, it can be achieved in the same way - grant required privileges to
that group in GP, but it might be a bit harder to know which privileges they
need. You might need to contact app vendor for that.

--
Dmitry Korolyov [d__k@xxxxxxxxxxxxxxxxxxxxxx]
MVP: Windows Server - Directory Services


"jason" <jason@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:57B8344C-8003-403F-9FDA-5560E752D5C5@xxxxxxxxxxxxxxxx
>I have a group policy to prohibit user installs of applications however I
> have several users who are domain members ( and they log into the domain)
> but
> have LOCAL admin rights for a very "picky" application. I would like to
> still prohibit userinstalls but keep the local admin rights.
>
> Is this normal behavior for the local rights to take precedance over GP?
>
> thank you
> jason


.

Relevant Pages

  • Re: Can I restrict a users group membership?
    ... Restricted Groups prevent the long-term modification of a group's ... members or membership in other groups by resetting it periodically ... Dean Wells [MVP / Directory Services] ...
    (microsoft.public.windows.server.active_directory)
  • Re: Loginscript is lacking credentials.........
    ... Basically, what Paul B said. ... Restricted groups is the way to go. ... idea behind this feature is to enforce strict membership. ... a user or group to a group without trashing the existing membership. ...
    (microsoft.public.windows.server.active_directory)
  • Re: localgroup administrators
    ... In most cases where I have implemented restricted groups it has lasted a little while and then someone comes up and says, hey we want Bob to be a local admin on these 5 machines and not the rest and alice to be local admin only on her machine, etc.. ... if poster simply wants to reset the membership ...
    (microsoft.public.windows.group_policy)
  • Re: restrict users from changing group membership
    ... no one should be able to modify group membership by default...someone has ... granted inappropriate permissions somewhere for them to be able to do ... When a user opens the global address book in Outlook, they can modify ... List Contents; Read Properties; and List Object. ...
    (microsoft.public.exchange.admin)
  • Re: Local Machine Rights thru Group Policy
    ... You may want to look into using Restricted Groups to use at the OU level to ... enforce membership of local groups on computers in that OU. ... to those OU machines power users on any machine in that OU they logon to. ...
    (microsoft.public.win2000.group_policy)