Re: Local Admin Group Modification
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Fri, 14 Apr 2006 23:28:34 -0700
"xJayboyx" <jgembler@xxxxxxxxx> wrote in message
news:494CC666-1BC6-455D-8BC7-8CD4EBC6934C@xxxxxxxxxxxxxxxx
Thank you, Thank you.. That was very helpfull..
You da man!
De nada . . .
Just do not make the restricted group def in a domain-linked
but in an OU linked GPO
"Roger Abell [MVP]" wrote:
You do not want to define Administrators as a restricted group, as
that will do the overwrite as you outline, replacing the membership
of the targetted PCs' Administrators groups.
What you can however do is add (as in merge into) a domain group
to the local Administrators groups without replacing what is already
in their membership. To do this, in a GPO that has those PCs in its
scope, define a restricted group for the domain group to be added,
and then leave the Member list empty but add Administrators to the
Menbers Of list. If all of the PCs impacted are at current service
pack levels this will merge that domain group into the pre-existing
membership of the machines' Administrators group.
The old alternative, which is problematic as it happens only at boot
and can be reversed for the duration of the boot, is use of a startup
script that verifies and adds when needed.
"xJayboyx" <jgembler@xxxxxxxxx> wrote in message
news:019696D6-C2B8-4F5D-AB4B-0CC9891EEC8B@xxxxxxxxxxxxxxxx
Thank you for the reply... But I'm pretty sure this is what I have
already
done.. The problem with this is that is Overwrites the current Local
Administrators of each computer in that OU.. It does add the Group that
I
want in there but then it takes away the individual user that is also a
Local
Admin of their own PC. I would then have to hit every machine to add
the
individual user back in.
Correct me if I'm wrong. But that's how my test worked.
Thanks,
Jason
"Herb Martin" wrote:
"xJayboyx" <jgembler@xxxxxxxxx> wrote in message
news:D06CAC66-B5B9-4BFC-90BA-CE9AA5C50F48@xxxxxxxxxxxxxxxx
Is it possible to setup additional User or group to be added to the
Local
Admins group of each PC when a NEW pc joins the Domain??
And do this without having to overwrite the current Local Admin
Group
of
each PC. I have a lot of individual users that are currently Local
Admins
of
their personal PC.
Not exactly what you ask, but perhaps even better....
You can create a RESTRICTED Group in a GPO
and assign this GPO to those computers (link to
their OU or the entire domain).
The trick to be able to set this up (since Local Adminstrators
won't appear if you try to build the GPO on a DC) is to
run the GPO Editor on a copy of XP (or non-DC Windows
Server of course).
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- References:
- Re: Local Admin Group Modification
- From: Herb Martin
- Re: Local Admin Group Modification
- From: Roger Abell [MVP]
- Re: Local Admin Group Modification
- From: xJayboyx
- Re: Local Admin Group Modification
- Prev by Date: home folders and default behavior in Active directory
- Next by Date: Re: AD problem
- Previous by thread: Re: Local Admin Group Modification
- Next by thread: Re: License Problem
- Index(es):
Relevant Pages
|
