Re: Group member of another group

We are currently running in Windows 2000 mixed mode. However has only ever
had Windows 2003 servers in it. If I upgrade the domain/forest levels to
Windows 2003 will that give me the ability to do nested groups? I noticed
that Windows 2000 native mode allowed for it and assume that 2003 does as
well but didn't want to jump to that conclusion.

"Richard Mueller" wrote:


"Hiro" <Hiro@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:97119E60-584C-4CF2-99BD-C45E7CF41EB4@xxxxxxxxxxxxxxxx
I read the article. But I wasn't able to apply it correctly to my
situation.

I already have the local admin group (Active Directory group) added to the
administrators group (local group) on Windows 2000/XP desktops that are
connected to the domain.

I need to create a secondary group called local admin temporary (AD
group).
This group needs to be a part of the local admin group (AD group). That
way I
don't have to go around to all the desktops and add the local admin
temporary
group (AD group) to the administrators group (local group).

Instead of revamping how we do the local admin setup with restricted
groups.
Is there a way to just make the local admin temporary group part of the
local
admin group?


Hi,

If I understand, you can do exactly as you suggest.

When computers are joined to the domain, the group "Domain Admins" is made a
member of the local Administrators group on the computer. All domain users
that are members of "Domain Admins" then get the permissions granted to the
local Administrators group when they logon the computer.

You apparently have added a second domain group as a member of the local
Administrators group on all computers. This sounds good. Now you can give
members of this group the permissions of the local Administrators group
without also making them Domain Admins. Lets call this second group GroupA.

If your domain is in Native mode, so that nested groups are allowed, you
create domain groupB and make it a member of GroupA. All members of GroupB
will have the permissions granted to GroupB, including permissions granted
to the local Administrators group on the computers. If this doesn't work,
report back.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net



.

Relevant Pages

  • RE: Automating Local Computer Admin Rights
    ... members of the administrators group on the local machine. ... become a local admin of all PC's under the OU. ... section it has "This group is a member of:" and there is nothing in there.. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Automating Local Computer Admin Rights
    ... members of the administrators group on the local machine. ... become a local admin of all PC's under the OU. ... section it has "This group is a member of:" and there is nothing in there.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group member of another group
    ... Servers cannot support nested groups. ... I already have the local admin group added to ... group to the administrators group. ... You apparently have added a second domain group as a member of the local ...
    (microsoft.public.windows.server.active_directory)
  • RE: Automating Local Computer Admin Rights
    ... become a local admin of all PC's under the OU. ... section it has "This group is a member of:" and there is nothing in there.. ... say you add your 1 group you created to the administrators group on the local ... like the domain admins etc.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: msconfig startup item?
    ... > MS-MVP Windows Shell/User ... >>> You must be logged on as a member of the Administrators group to set ... >>> time after your PC has experienced a Windows XP dump crash, ...
    (microsoft.public.windowsxp.help_and_support)