Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:#3ZsHOU2EHA.1400@TK2MSFTNGP11.phx.gbl...
> Herb,
>
> Glad that you remembered the trick and are passing it along.
Sorry I didn't remember who told me. Thanks again.
A thought occurred to me however: I suppose this won't work
for restricting custom groups on the computers -- only for the
built-in groups.
Of course, if you go to Native(+) mode then you can build
local groups on the domain and avoid even having to create
standardized custom groups.
--
Herb Martin
>
> Cary
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eO2LA7Q2EHA.3092@TK2MSFTNGP10.phx.gbl...
> > "Rob" <rjohn@sw.rr.com> wrote in message
> > news:eOqAj9O2EHA.4072@TK2MSFTNGP10.phx.gbl...
> > > For some strange reason I have been unable to use GPOs to set the
> > membership
> > > of the local administrators group on my PCs. I can make this work on
> > Domain
> > > level groups, but not the local administrators group of PCs. I've
> clearly
> > > missed something here....
> > >
> > > Any tips would be appreciated.
> >
> > Someone finally taught me the trick to these.
> >
> > Local groups don't exist on the DCs to this is the
> > initial problem -- you (like me) probably tend to
> > run AD Users/Computer and the GPO Editor from
> > the DCs ONLY.
> >
> > Install the tools on an XP box or on a Win2000 box
> > (which has the built-in local groups.) This would
> > also work on a non-DC server.
> >
> > ADMINPAK.msi in the DC System32 directory
> > contains the tools.
> >
> > Run the tools from there and setup the Restricted
> > Group -- you will be able to pick the local built-in
> > groups.
> >
> > This will work because as built-in groups their
> > SIDs are predictable.
> >
> > It probably won't work for any custom local groups
> > though.
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Rob
> > >
> > >
> >
> >
> >
>
>