Sign in with
Sign up | Sign in
Your question

Restricted Groups > Local Administrators

Last response: in Windows 2000/NT
Share
December 3, 2004 1:29:27 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

For some strange reason I have been unable to use GPOs to set the membership
of the local administrators group on my PCs. I can make this work on Domain
level groups, but not the local administrators group of PCs. I've clearly
missed something here....

Any tips would be appreciated.

Rob
Anonymous
December 3, 2004 4:57:36 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Rob" <rjohn@sw.rr.com> wrote in message
news:eOqAj9O2EHA.4072@TK2MSFTNGP10.phx.gbl...
> For some strange reason I have been unable to use GPOs to set the
membership
> of the local administrators group on my PCs. I can make this work on
Domain
> level groups, but not the local administrators group of PCs. I've clearly
> missed something here....
>
> Any tips would be appreciated.

Someone finally taught me the trick to these.

Local groups don't exist on the DCs to this is the
initial problem -- you (like me) probably tend to
run AD Users/Computer and the GPO Editor from
the DCs ONLY.

Install the tools on an XP box or on a Win2000 box
(which has the built-in local groups.) This would
also work on a non-DC server.

ADMINPAK.msi in the DC System32 directory
contains the tools.

Run the tools from there and setup the Restricted
Group -- you will be able to pick the local built-in
groups.

This will work because as built-in groups their
SIDs are predictable.

It probably won't work for any custom local groups
though.


--
Herb Martin


>
> Rob
>
>
Anonymous
December 3, 2004 12:21:50 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb,

Glad that you remembered the trick and are passing it along.

Cary

"Herb Martin" <news@LearnQuick.com> wrote in message
news:eO2LA7Q2EHA.3092@TK2MSFTNGP10.phx.gbl...
> "Rob" <rjohn@sw.rr.com> wrote in message
> news:eOqAj9O2EHA.4072@TK2MSFTNGP10.phx.gbl...
> > For some strange reason I have been unable to use GPOs to set the
> membership
> > of the local administrators group on my PCs. I can make this work on
> Domain
> > level groups, but not the local administrators group of PCs. I've
clearly
> > missed something here....
> >
> > Any tips would be appreciated.
>
> Someone finally taught me the trick to these.
>
> Local groups don't exist on the DCs to this is the
> initial problem -- you (like me) probably tend to
> run AD Users/Computer and the GPO Editor from
> the DCs ONLY.
>
> Install the tools on an XP box or on a Win2000 box
> (which has the built-in local groups.) This would
> also work on a non-DC server.
>
> ADMINPAK.msi in the DC System32 directory
> contains the tools.
>
> Run the tools from there and setup the Restricted
> Group -- you will be able to pick the local built-in
> groups.
>
> This will work because as built-in groups their
> SIDs are predictable.
>
> It probably won't work for any custom local groups
> though.
>
>
> --
> Herb Martin
>
>
> >
> > Rob
> >
> >
>
>
>
Anonymous
December 3, 2004 6:09:19 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:#3ZsHOU2EHA.1400@TK2MSFTNGP11.phx.gbl...
> Herb,
>
> Glad that you remembered the trick and are passing it along.

Sorry I didn't remember who told me. Thanks again.

A thought occurred to me however: I suppose this won't work
for restricting custom groups on the computers -- only for the
built-in groups.

Of course, if you go to Native(+) mode then you can build
local groups on the domain and avoid even having to create
standardized custom groups.

--
Herb Martin


>
> Cary
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eO2LA7Q2EHA.3092@TK2MSFTNGP10.phx.gbl...
> > "Rob" <rjohn@sw.rr.com> wrote in message
> > news:eOqAj9O2EHA.4072@TK2MSFTNGP10.phx.gbl...
> > > For some strange reason I have been unable to use GPOs to set the
> > membership
> > > of the local administrators group on my PCs. I can make this work on
> > Domain
> > > level groups, but not the local administrators group of PCs. I've
> clearly
> > > missed something here....
> > >
> > > Any tips would be appreciated.
> >
> > Someone finally taught me the trick to these.
> >
> > Local groups don't exist on the DCs to this is the
> > initial problem -- you (like me) probably tend to
> > run AD Users/Computer and the GPO Editor from
> > the DCs ONLY.
> >
> > Install the tools on an XP box or on a Win2000 box
> > (which has the built-in local groups.) This would
> > also work on a non-DC server.
> >
> > ADMINPAK.msi in the DC System32 directory
> > contains the tools.
> >
> > Run the tools from there and setup the Restricted
> > Group -- you will be able to pick the local built-in
> > groups.
> >
> > This will work because as built-in groups their
> > SIDs are predictable.
> >
> > It probably won't work for any custom local groups
> > though.
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Rob
> > >
> > >
> >
> >
> >
>
>
!