Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- From: rosevilleca@xxxxxxxxx
- Date: Fri, 18 Jul 2008 15:14:23 -0700 (PDT)
On Jul 18, 3:01 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello rosevill...@xxxxxxxxx,
You can add/remove users/groupsinrestrictedgroupsas you like. But if
you only work withgroupsinrestrictedgroups, you can just add/remove user
to the group in AD you specified. Additional you can always create a new
GPO for another OU with different accounts/groups.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Even if it doesn't remove existing users from the local
administrators, doesn't it "RESTRICT" you from later adding individual
users to that machine's local administrator group? We will need the
flexibility to add other local admin users to specific computers as
needed. On some machines the assigned user will be an admin on the
box and on others, they will not. I have heard the usingrestricted
groupscloses your options.
On Jul 18, 11:57 am, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
Usingrestrictedgroupsproperly doesn't remove anyone from the local
admins group. You are using it incorrectly in forcing only group
members defined in the gpo. See below to learn how to use correctly..
+++++++++++++++++++++++++++++++++++++++++++++++
computer configuration \ windows settings \restrictedgroups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar
...
http://www.microsoft.com/resources/documentation/windows/xp/all/prodd
...
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users),
go to computer configuration/windows settings/security
settings/restrictedgroups, right click onrestrictedgroupsand select
new group (For the local computers, this group name should be -
administrators) and key in the group you want auto populated. Select
add on the Members of this group and then add the members you want
populated.
Note: Be aware that the higher you place this setting within the
domains group policy the possibility exists it is applied to machines
you may not want it applied to. With this in mind you should try and
avoid this setting at the domain level, with the exception on the
domain admins group. We have some users who are local admins on
machines and for some reason they feel compelled to remove the domain
admins from their local administrators group. Setting this at the
domain level manages these annoying users.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
<rosevill...@xxxxxxxxx> wrote in message
news:81e53be3-bde4-496d-a66c-91e9cdf32eb0@xxxxxxxxxxxxxxxxxxxxxxxxxxx
m...
The subject should say- Show quoted text -- Hide quoted text -
"Add another domain user or group to local administrators of all
computers in an OU WITHOUT removing others?"- Hide quoted text -
- Show quoted text -
This does not seem to also let you add and remove users from specific
computers.
For instance, what if I want domain admins, helpdesk, and desktop
support tobe in the local admins group of all workstations, but
additional individual users to be also be added to certain machines,
but not domain-wide?
This is what the link to the pages posted above show and it does not
sound like it let's me do what we need to do:
"Members of this group – This setting allows you to control the
members of the group that you specify for the policy. The members can
include both user and group accounts. When you configure the members
of a group, it will overwrite the existing membership of the group and
replace the members with those specified within the GPO. If you were
to configure this setting and leave the members blank, then the group
would not have any members after the GPO applied to the computer.
Another indirect benefit of using the Restricted Group setting is that
it will automatically remove any local user accounts that should not
be added to the Administrators group. This typically includes local
user accounts that have been created by the user of the computer, to
bypass domain security."
That really sounds like it will overwrite existing members and not
allow any additional users to be added to some machines and not
others.
If restricted groups were in place and we later needed John Smith to
be an admin on jsmith-desktop, he would need to be added to the
restricted group to get local admin rights on that machine, but then
he would be a local admin on every workstation instead of only that
one.
.
- Follow-Ups:
- References:
- Prev by Date: Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- Next by Date: Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- Previous by thread: Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- Next by thread: Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- Index(es):
Relevant Pages
|
Loading
