Re: Restricted Groups????
- From: "Hutch" <Hutch@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 29 Aug 2005 08:51:56 -0700
We have used this policy to pretty good effect. Basically, the groups that
you specify in this policy get added to the Local Administrator Group on all
workstations the GPO applies to. The other thing to remember is that any
group NOT specified in this policy, that is already part of the Local
Administrator Group, will get removed (for instance..if you don't specify
Domain Admins...this group will get removed).
One of our Administrators applied this policy..and it had some very
interesting effects. Unfortunately, we are currently running in Mixed Mode,
so don't have the ability to use GPO's. This policy was applied, the Domain
Admins group was not specified, and so the Domain Admins was removed from all
Workstations.....and Servers....so you can imagine what that was like.
The Restricted Groups for us is set as follows:
Domain Admins
Domain\Administrator
Domain\Tech Group (this is the group we wanted added to all workstations.
Give Helpdesk local admin rights on all workstations).
What I would suggest is if you can use OU's...create a test OU, move a test
computer account to that OU, and then create a GPO using Restricted Groups
for that test area only. Then you can play around with the memberships until
you get it to do what you want.
"Cary Shultz [A.D. MVP]" wrote:
> Henry,
>
> You should be able to do it from either OS.....
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Henry Villegas" <HenryVillegas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5543E69F-9F45-40B2-A5B6-220ABB31A769@xxxxxxxxxxxxxxxx
> > The "Admin" workstation that I am using is XP Pro. I have a mix of 2000
> > Pro
> > and XP Pro on the network. Is this going to matter? Do I need to be
> > making
> > this GPO from a 2000 Pro Admin workstation?
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> >> Did you follow the MSKB Article that explains how to do this? The big
> >> thing
> >> is that you should be doing this on an "Admim" workstation. You can not
> >> really do this on a Domain Controller....
> >>
> >> --
> >> Cary W. Shultz
> >> Roanoke, VA 24012
> >> Microsoft Active Directory MVP
> >>
> >> http://www.activedirectory-win2000.com
> >> http://www.grouppolicy-win2000.com
> >>
> >>
> >>
> >> "Henry Villegas" <HenryVillegas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> message
> >> news:E1A1A057-F80A-46EA-9463-463C1411E3E7@xxxxxxxxxxxxxxxx
> >> >I am very confused with this policy. I am trying to grant a group, OU
> >> >or
> >> > user local Adminstrator rights to all computers in my domain without
> >> > giving
> >> > them Domain Admin Rights. I was able to create this policy but it
> >> > either
> >> > gave the user Domain Admin Rights or did not work at all. Please
> >> > Help!!
> >>
> >>
> >>
>
>
>
.
- References:
- Restricted Groups????
- From: Henry Villegas
- Re: Restricted Groups????
- From: Cary Shultz [A.D. MVP]
- Re: Restricted Groups????
- From: Henry Villegas
- Re: Restricted Groups????
- From: Cary Shultz [A.D. MVP]
- Restricted Groups????
- Prev by Date: User Migration - Move accounts to Contacts for GAL
- Next by Date: DNS Problem
- Previous by thread: Re: Restricted Groups????
- Next by thread: Re: delegation of printer administration...
- Index(es):
Relevant Pages
|
