Re: add group back.

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 05/04/04

Next message: steveriz: "Are we an Open Relay? I don't think so."
Previous message: JIM.H.: "RDC"
In reply to: js: "Re: add group back."
Next in thread: Eric Chamberlain: "Re: add group back."
Reply: Eric Chamberlain: "Re: add group back."
Messages sorted by: [ date ] [ thread ]

Date: Tue, 4 May 2004 11:33:18 -0700

Oh my, con caro . . .

When you define a restricted group you are stating the exact
membership of the group. So, in addition to Domain Admins
you also need to specify any other local accounts on that
machine that need to be members of Administrators.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"js" <js@someone@hotmail.com> wrote in message 
news:%23Rc42fdMEHA.1468@TK2MSFTNGP12.phx.gbl...
> Thanks Eric!
>
> "Eric Chamberlain" <eric.chamberlain@newsgroups.nospam> wrote in message
> news:uhkkebXMEHA.3016@tk2msftngp13.phx.gbl...
>> Go to the OU that the machine is a member of and create a new GPO.
>> In the new GPO, under computer, security settings, choose Restricted
> groups.
>> Create a new entry for administrators and make Domain Admins a member.
>>
>
>

Next message: steveriz: "Are we an Open Relay? I don't think so."
Previous message: JIM.H.: "RDC"
In reply to: js: "Re: add group back."
Next in thread: Eric Chamberlain: "Re: add group back."
Reply: Eric Chamberlain: "Re: add group back."
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: How to change domain administrator to limited/restricted user?
... Depending on the number of users, computers, member servers and the rest of the infrastructure, I might be tempted to start over. ... If it's "a" domain administrator, then remove the user from the ... Are the individual users direct members of the Domain Admins group or members of a group added to the Domain Admins group. ... Check a workstation or two and see if the user is a member of the local workstation administrators group. ...
(microsoft.public.windows.server.sbs)
Re: no Domain Admin rights to a Domain Server
... If the computer is still a member of the domain with proper DNS name ... the domain it needs to be joined to the domain again and the domain admins ... I can logon locally to the machine but the rights are that of a ... the server belongs to engineering and the person in charge ...
(microsoft.public.win2000.security)
Re: Group Policy on a remote computer
... By default, members of Domain Admins are administrators on member computers, but not Enterprise Admins. ... The domain controller is Windows Server 2003 R2 SP2; the target computer is XP Professional SP2. ... The usual process is to create a Group Policy Object in the Domains Active Directory and link it to the OU with the target computer accounts or user accounts. ...
(microsoft.public.windows.group_policy)
Re: Add user/group to local group via Group Policy
... In a GPO that has all machines which should be affected in its scope, ... Change the Member Of list so that it names the built-in Administrators ... This will guarantee that Domain Admins is a member of Administrators ...
(microsoft.public.windows.group_policy)
Re: group policy settings is not removed after computer is removed from OU
... I noticed that with Vista, if the GPO using the Member Of feature in Restricted Groups is modified to remove one of the local groups, the domain group IS removed from the local group. ... Restricted Groups are not removed when the target computer falls out of scope of the GPO or the Restricted Group setting is changed. ...
(microsoft.public.windows.group_policy)