Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Not much!
You actually need to install the adminpak.msi on a WIN2000 workstation and
do the rest from there. Here are some links that I should have initially
included:
http://support.microsoft.com/?id=320065 ( you can change 'Administrators'
to any of the other groups, such as 'Power Users' if you need )
For additional information, take a look at these:
http://support.microsoft.com/?id=320045
http://support.microsoft.com/?id=279301
http://support.microsoft.com/?id=228496
And you might want to take a look at this:
http://support.microsoft.com/?id=810076
This is because according to 228496 whichever user or group accounts were a
member of 'Adminsitrators' - in your example - are kicked out / replaced by
the Restricted Group that you create. Think about Domain Admins....
HTH,
Cary
"Martin Horsley" <Martin.Horsley@apsmortgages.co.uk> wrote in message
news:ua10Wy4MEHA.3052@TK2MSFTNGP12.phx.gbl...
> Ah thanks very much for the speedy response!
>
> So (and I warn now, this is all new, and we will buy a book on it and do
it
> properly, just just right now we've got desktops covered in adverts and so
> forth that are more pressing for the company than buying me training
))
> I'm in the GP editor on the PDC, in computer conf > Windows settings >
> security settings > restricted groups? And what can I actually "do" in
> there?
> All the users are Domain Users, and so if they roam to a PC where there
> account is not admin, then we have no problem. It's only when they're on
> their 'home' machines where they have been set as admins that we have the
> problem. I don't understand how I can make the Domain Users group be
> restricted by some other group, when really that isn't what is giving them
> Admin privileges anyway, it's the fact that they are admins on their local
> machines.
>
> Cheers, Martin H.
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:OJ1mOL4MEHA.2676@TK2MSFTNGP12.phx.gbl...
> > Martin,
> >
> > Take a look at the Restricted Groups GPO. That might save you a few
> steps!
> >
> > Cary
> >
> > "Martin Horsley" <Martin.Horsley@apsmortgages.co.uk> wrote in message
> > news:O%23XJQE4MEHA.4016@TK2MSFTNGP10.phx.gbl...
> > > Hi all,
> > >
> > > we have a situation where our client machines (100-ish) log on to
their
> > > machines with administrative rights (yeah, I know). After a spate of
> > issues
> > > with adware etc, I'd really like to revoke their privileges somewhat,
> > either
> > > by literally taking away install rights, or by finding a way to
convert
> > them
> > > to ordinary non-admin accounts (pref. permanently). Is this possible,
or
> > am
> > > I in for a long walk round the office?
)
> > >
> > > Cheers and thanks in advance, Martin H.
> > >
> > > martin@horzle.co.uk
> > >
> > >
> >
> >
>
>