Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- From: rosevilleca@xxxxxxxxx
- Date: Tue, 22 Jul 2008 11:41:06 -0700 (PDT)
On Jul 22, 9:07 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello rosevill...@xxxxxxxxx,
By default, Group Policy refreshes in the background every 90 minutes, with
a random offset of 0 to 30 minutes.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
On Jul 21, 1:46 pm, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
You are confused.
If you go through the info I provided and apply as stated, it will
add additional groups to thelocaladmins, just make sure to select
"This Group is a member of" not "Members of this Group".
--So, "is a member of" was the clarification needed to get it to work
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
the way I was describing.
So, now it works without removing other admins, but the new problem is
that it isn't enforced if someone goes in and deletes the group from
the local adminstrators on a machine.
We have set "always wait for network" when logging on so the GPOs take
effect without taking 2 reboots, but after deleting the group from the
local administrators on a machine, the group was not re-added to local
administrators when the machine is rebooted. We even tried rebooting
twice with no luck.
The only way the group reappeared as a local admin was by running
gpupdate -- and not just gpudate, but gpupdate -force. After using
the force switch, the group was re-added to the local admins.
Is there any way around this, or will it eventually automatically add
the group back to local administrators without needing to run the
gpupdate /force command if we just wait longer?- Hide quoted text -
- Show quoted text -
I have now waited beyond the refresh time + offset time (it had been
set for 30 minute refresh with 30 minute offset so it should have a
maximum delay to reapply the policy of 60 minute at the longest) The
deleted group was not re-added even after a reboot after more than 2
hours. The domain controllers are all on the local LAN. The members
of the restricted group are only re-added after deletion if a
gpupdate /force command is run.
Out of curiosity, I will wait overnight to see if the group is ever
automatically re-added.
I'm not seeing much advantage of using this Restricted Groups policy
rather than using a computer startup script that runs a command adding
the group to local administrators at every reboot.
.
- References:
- Prev by Date: Re: change name of security group
- Next by Date: Re: Siezing a failed DC
- Previous by thread: Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- Next by thread: Re: Add another domain user group to local administrators of all computers in an OU with removing others?
- Index(es):
Relevant Pages
|
