Re: Loginscript is lacking credentials.........

Hi again
Another problem that arises is the fact that
when you configure the members of the "administrators" group, it will
overwrite the existing membership of the group and replace the members with
those specified within the GPO.

In our company the domain users are local admins on their machines,
i.e. a user is local admin on his/her workstation.

Therefor this setup does not work.

So, back to the drawingboard.

"Paul Bergson" wrote:

You could use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Patrik_L" <PatrikL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5C573B66-1095-46CC-B787-7AF8D18D8430@xxxxxxxxxxxxxxxx
Hi
In my loginscript, that I execute via GPO, I have code that adds a certain
domain group (admin group) to the local administrators group of the
underlying computer.

Now I have come to realize that, unless the user who is loggin on to the
machine is a member of the local administrators group him/herself, this
does
not work.
Hence, it appears that the login script is executed with the same
permissions as the user logging in!?

I was under the impressions that all GPO's ran with top admin credentials.
If this is not the case, how do I make the script run with admin
credetials ?

Thanks
Patrik




.

Relevant Pages

  • Re: I CALL BULL SHIT ON MIKE PAYNES "UPA Members Call to Action" artical.....
    ... The stategy should be to get general info from a larger ... members giving feedback no one knows ANYTHING about what the majority ... upa administrators just fine. ... dosent it seem odd to you that upa administrators have never seen fit ...
    (rec.sport.disc)
  • Workstation Security Via Policy
    ... I'd like to make some domain users administrators on their local PC. ... I've created a group on the domain called "Local Admins". ... This blocks the "Local Admins" members from browsing ...
    (microsoft.public.win2000.group_policy)
  • Re: make each domain user a local admin on his/her machine
    ... this user) "jsmith" added to the local admins group. ... computer configuration \ windows settings \ restricted groups ... Select add on the Members of this group and then ...
    (microsoft.public.windows.server.active_directory)
  • Re: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]
    ... > ever heard for not using security products. ... Many of the people on here care nothing about security, ... >> If Annie's weren't members of Administrators, ... >> Administrators would not have access to apps like IE and OE, ...
    (Full-Disclosure)
  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
Loading