Re: Loginscript is lacking credentials.........

Hi Paul.
What I want to achieve is the following.
We have several organizations involved in our AD.
When a machine is added to the domain, and put in a certain OU, the admins
of that OU should be added to the local administrators group of the machine
in question.
Since users have a nasty habit of deleting entries in the local admins group
I want to achieve this (or at least check) everytime the machine starts.

My problem now is this:
When I tried the "Restricted Groups" approach and entering the data in the
"Memebers of this group" field, this overwrites the other members of the
admin group.

When I try the "Startup Script" approach, using exactly the code that you
described in one of your threads, i.e. the:
net localgroup Administrators /add Domain\OU.Admins
The GPO runs fine (according to gpresult) but there has been no changes to
the admin group. When I run the script locally on a client, it works fine, so
I don't think the script is the problem.
I have placed the GPO handling this script on a CompanyOU level, i.e. this
OU contains other Ou's. Could it be that it has to be applied to the OU that
directly conatins all the client ?

With regards to using the "Restricted Groups" approach I am not sure what
you mean when mention the "memberOf section". How could I solve my issue
using this one ?

Regards
Patrik

--
--------------------------------
Stockholm, Sweden


"Paul Williams [MVP]" wrote:

I responed to the statement:

"...when you configure the members of the "administrators" group, it will
overwrite the existing membership of the group and replace the members with
those specified within the GPO."


Which is talking about configuring the member attribute of the
administrators group and doesn't mention the memberOf section of GPO.
Therefore what the original post stated was correct and I confirmed that.

The original statement isn't that easy to use as the OP is using
non-specific terminology. I guess you misunderstood? Or maybe I did, but
the way I read that is that we are talking about configuring the member tab
of the local group administrators overwrites the current members of this
group.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net




.

Relevant Pages

  • This can be done easily via GPO
    ... This is very easy to do and it can be done with a GPO setting. ... you want to restrict the local Administrators group on all Windows ... GP refresh interval) it will remove other members of the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: I CALL BULL SHIT ON MIKE PAYNES "UPA Members Call to Action" artical.....
    ... The stategy should be to get general info from a larger ... members giving feedback no one knows ANYTHING about what the majority ... upa administrators just fine. ... dosent it seem odd to you that upa administrators have never seen fit ...
    (rec.sport.disc)
  • Re: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]
    ... > ever heard for not using security products. ... Many of the people on here care nothing about security, ... >> If Annie's weren't members of Administrators, ... >> Administrators would not have access to apps like IE and OE, ...
    (Full-Disclosure)
  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • Re: Domain Users to have Local Admin rights
    ... members inside the Restricted Group, but it still doesn't wanna work. ... all machines that are with scope of the GPO carrying the Restricted ... their local Administrators group. ... group you define a Restricted Group definition, ...
    (microsoft.public.windows.server.security)