Re: Add another domain user group to local administrators of all computers in an OU with removing others?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hello rosevilleca@xxxxxxxxx,

By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

On Jul 21, 1:46 pm, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
You are confused.

If you go through the info I provided and apply as stated, it will
add additional groups to thelocaladmins, just make sure to select
"This Group is a member of" not "Members of this Group".

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
So, "is a member of" was the clarification needed to get it to work
the way I was describing.

So, now it works without removing other admins, but the new problem is
that it isn't enforced if someone goes in and deletes the group from
the local adminstrators on a machine.
We have set "always wait for network" when logging on so the GPOs take
effect without taking 2 reboots, but after deleting the group from the
local administrators on a machine, the group was not re-added to local
administrators when the machine is rebooted. We even tried rebooting
twice with no luck.
The only way the group reappeared as a local admin was by running
gpupdate -- and not just gpudate, but gpupdate -force. After using
the force switch, the group was re-added to the local admins.
Is there any way around this, or will it eventually automatically add
the group back to local administrators without needing to run the
gpupdate /force command if we just wait longer?


.

Relevant Pages

  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... effect without taking 2 reboots, but after deleting the group from the ... local administrators on a machine, the group was not re-added to local ... The only way the group reappeared as a local admin was by running ... gpupdate -- and not just gpudate, ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO update
    ... Meinolf Weber wrote: ... You have to type gpupdate /force not /update. ... be local administrators and they lost their local admin rights. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restrict take ownership rights
    ... the machine (these are the people who have access to the folder I want to ... I need to be sure anyone in local admin ... ownership of a folder. ... I want to ensure that local administrators cannot come along ...
    (microsoft.public.security)
  • Re: Local Admin & Startup Script
    ... Yea...this was a migration, but when I do add a user with /connectcomputer, I never make that selection that you're talking about. ... When I have a user who is not local admin, they get a pop up which says the ... "You must be a member of the local Administrators security group ... on this computer to install and configure applications. ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy Problem
    ... Found it, restricted groups. ... On my workstations if I add a user to the "local administrators" group then run gpupdate /force the user I have added is removed. ...
    (microsoft.public.windows.server.active_directory)