Re: Restricted Groups problem

---

• From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
• Date: Fri, 6 Apr 2007 21:56:56 -0400

---

Sounds like a group type issue. I haven't tried it quite that way, but all
you're really interested in is adding the group to the local administrators.
Membership is not really critical to this situation.

What is the group type? Are you saying it's a global group from domain ?

As for not changing the local administrators group, you'll want to use the
memberof feature only. Do not populate anything for the group.

Al


"GeorgeMc" <GeorgeMc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:73A58687-AD81-4BD5-8B8A-A7D3CB9268BA@xxxxxxxxxxxxxxxx

Hi!

I'm having a problem assigning the users/groups I want to the local
machine
administrators groups through the Restricted Groups policy. Here's my
scenario:

- "domain"
- "sub.domain"
- OU in sub.domain called web servers

I have a Global Security group in "domain" called WebServerAdmins with
users
from "domain".

On member servers in the web servers OU of sub.domain, I can manually add
domain\webserveradmins to the local administrators group.

I add "Administrators" to the Restricted Groups of sub.domain. However,
when I try to add members to this group, domain\webserveradmins is not
available from the "domain" location. The individual members of
domain\webserveradmins are available however.

I also created a sub.domain\test local domain group and added the global
domain\webserveradmins to it. However, in Restricted Groups, the only
sub.domain groups available to choose are sub.domain global groups such as
sub.domain\Domain Admins.

The bottom line is that I want, via group policy, to add
domain\webserveradmins to the local machine administrators group of all
memberr servers of sub.domain.

In addition, I don't want to change the existing local member server
Administrators group, just add to what's existing.

Thanks,

George

.

---

• Follow-Ups:
  • Re: Restricted Groups problem
    • From: GeorgeMc

• Prev by Date: Re: What time does the account actually expire?
• Next by Date: Re: Splitting a child domain in Win2K3 AD
• Previous by thread: Re: Problem with Unjoining Domain
• Next by thread: Re: Restricted Groups problem
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Administrator cant change security ... administrators group on the domain member can configure permissions on any ... computers can not reliably contact a domain controller. ... I'm signing on as Administrator on a second Windows 2003 server that is ... (microsoft.public.windows.server.security) Re: Security groups being removed ... be the expected behavior because of the AdminSDHolder thread on the DC ... This object is used to control the permissions of user accounts that are ... members of the built-in Administrators or Domain Administrators groups. ... a user account is a member of one of these administrative groups because ... (microsoft.public.windows.server.sbs) Re: True difference between Domain Admin grp and Administrators Group ... is a member of the domain "administrator" group by default. ... The domain admin group not only has local administrator ... group is automatically added to the local "administrators" group. ... Members of this group have full control of the domain. ... (microsoft.public.windows.server.general) RE: Permissions ... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ... (microsoft.public.win2000.security) RE: Security groups being removed ... and all of the member objects of these groups: ... This object is used to control the permissions of user accounts that are ... members of the built-in Administrators or Domain Administrators groups. ... AdminSDHolder thread. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)