Sign in with
Sign up | Sign in
Your question
Closed

Retaining local administrator groups when using restricted..

Tags:
  • Policy
  • Workstations
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
April 19, 2005 11:39:15 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

This kinda defeats the purpose of restricted groups but my company is
currently redesigning their group policy infrastructure and have decided to
used restricted groups.

Currently their are quite a few users who are members of the local
administrators group of their assigned workstation because of business
requirements.

Goal:
To implement the use of restricted groups while allowing the current local
administrators of a system to remain local administrators.

We have thought of a few work arounds but here are some of the problems we
are facing:
1. Gather all of the members that will need local administrator rights on
their workstations to a domain local group and adding that group to the
restricted group we place on the workstations.

The problem with this is we dont want to grant all users in this group local
admin rights to all of the computers.

2. Use computer login scripts to add the specfied domain groups to the local
administrators group with out using restricted groups.

The problem with this is their is no group policy refresh, and these groups
(if a local administrator removes them) will only apply at computer logon.

Is their any known "happy medium" for meeting this requirement?

More about : retaining local administrator groups restricted

Anonymous
April 20, 2005 4:04:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Restricted Groups can do this natively. When you set it up you can choose
whether or not to keep existing local admins or remove them.
http://support.microsoft.com/?id=228496

"Shayne D. Swann" <a-sswann@microsoft.com> wrote in message
news:o $Hz%23jTRFHA.3496@TK2MSFTNGP12.phx.gbl...
> This kinda defeats the purpose of restricted groups but my company is
> currently redesigning their group policy infrastructure and have decided
> to used restricted groups.
>
> Currently their are quite a few users who are members of the local
> administrators group of their assigned workstation because of business
> requirements.
>
> Goal:
> To implement the use of restricted groups while allowing the current local
> administrators of a system to remain local administrators.
>
> We have thought of a few work arounds but here are some of the problems we
> are facing:
> 1. Gather all of the members that will need local administrator rights on
> their workstations to a domain local group and adding that group to the
> restricted group we place on the workstations.
>
> The problem with this is we dont want to grant all users in this group
> local admin rights to all of the computers.
>
> 2. Use computer login scripts to add the specfied domain groups to the
> local administrators group with out using restricted groups.
>
> The problem with this is their is no group policy refresh, and these
> groups (if a local administrator removes them) will only apply at computer
> logon.
>
> Is their any known "happy medium" for meeting this requirement?
>
Anonymous
February 21, 2010 9:49:16 PM

Necropost.
!