Re: Default Security Groups

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Mike,

Thank you for your post!

Domain Admins is a global group designed to help you administer all the
computers within a domain. When a computer is joined to the domain, the
Domain Admins group will be added to local administrators group by default.

For example, you can try the following steps on a domain controller.

1. Start Active Directory Users and Computers from any domain controller.

2. Create an organizational unit, and then move all of the appropriate
workstations and member servers to that organizational unit.

3. Right-click the organizational unit, and then click Properties.

4. Click the Group Policy tab, click NEW, and then name the policy.

5. Click the policy, and then click Edit.

6. Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.

7. Input Administrators, and then click OK. You are returned to the group
policy and you see the Administrators group listed in the Restricted Groups
window.

8. Double-click the Administrators group.

9. To the right side of the Members of this Group box, click ADD, and then
click Browse.

10. Add the group. After you do so, close the group policy.

For more information, please refer to the following KB article and TechNet
article:

810076 Updates to Restricted Groups ("Member of") behavior of user-defined
local groups
http://support.microsoft.com/kb/810076/en-us

Restricted Groups Policy Settings
http://technet2.microsoft.com/WindowsServer/en/library/156780ef-eb36-4433-b3
fe-1b1a15c18f6a1033.mspx?mfr=true

Please try my steps and update me with the results. If something is
unclear, please feel free to let me know.

Sincerely,
Tom Zhang, MCSE 2003
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Giving admin rights to a subset of computers
    ... if you have a problem with RG configuration or if it is a Group Policy ... > computers exist in the 'Computers' folder under the domain. ... > made the global group 'ATL-Admins' a member of the RG. ... > member of the 'Administrators' group. ...
    (microsoft.public.win2000.security)
  • Re: Giving admin rights to a subset of computers
    ... I would create a new Group Policy in that OU or modify one that you already ... Restricted Groups to all computers in that OU. ... that global group to be "this group is a member of" administrators group. ...
    (microsoft.public.win2000.security)
  • Re: OU delegation
    ... Administrators to the "Restricted Groups" setting and specifying the ... Windows Settings> Security Settings> Restricted Groups ... The Restricted Group definition would ... perform administrative tasks on computers in that are in this OU. ...
    (microsoft.public.windows.server.security)
  • Re: OU delegation
    ... Administrators to the "Restricted Groups" setting and specifying the ... Windows Settings> Security Settings> Restricted Groups ... The Restricted Group definition would ... perform administrative tasks on computers in that are in this OU. ...
    (microsoft.public.windows.server.security)
  • Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4)
    ... into the local administrators group on the workstation. ... restricted groups you can then modify the group membership to get users into ... Create the gpo in the ou where the Computers reside, ... we removed the right to add workstation to Windows 2000 ...
    (microsoft.public.win2000.active_directory)