Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Create and link a GPO to the OU that contains the computer accounts for the
workstations in question. You may find it useful to first create an OU
specifically for the computer accounts for the computers you want to adjust
the local administrators group on.
In this new GPO, navigate to Computer Configuration, Windows Settings,
Restricted Groups
right click on Restricted Groups and select Add Group...
key the name of the Domain Group you want added to the local Administrators
group and click OK
click Add beside the box with the title "This group is a member of" (this is
the lower of the two boxes)
key Adminstrators and click OK
click OK
Close the Group Policy Editor
The above technique will only have the desired affect on clients running
Windows 2000 SP4, Windows XP SP2, Windows XP SP1 with a specific hotfix and
Windows 2003 Server; see
http://support.microsoft.com/?id=810076 for
details.
Since, by default, Domain Controllers are in an OU that does not contain
other domain members, unless you link this GPO to that OU, it will not have
any affect on Domain Controllers. By default, domain member computers go in
the Computers OU.
--
Bruce Sanderson MVP
It's perfectly useless to know the right answer to the wrong question.
"none" <""Tez\"@(none)"> wrote in message
news:1123168774.80669.0@doris.uk.clara.net...
> Denis Wong @ Hong Kong wrote:
>> Oh yes, forgot using GP to set permission. Then it could be a GP issue
>> then.
>>
>> br,
>> Denis
>>
>> "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
>> news:1fi1f117323qai3hg4ri8c9cmplbo8lv8g@4ax.com...
>>
>>>On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>>>
>>>
>>>>Hi
>>>>
>>>>I would like give a domain user permission to change and reset
>>>>file/share permissions locally on computers which are joined to our
>>>>domain. I have delegated permission for them to add/remove computers
>>>
>>>>from the 'Computers' folder in Active Directory Computers and Users, and
>>>
>>>> also add/remove users from the '*ourdomain* users' and *ourdomain
>>>>groups'. Is this a group policy change I need to make?
>>>>
>>>>Thanks for your help
>>>>
>>>>T.
>>>
>>>You can use Group Policy to set file system permissions.
>>>See tip 8724 » How can I use Group Policy to set File System and/or
>>
>> Registry permissions?
>>
>>> in the 'Tips & Tricks' at
http://www.jsifaq.com
>>
>>
>>
> I can see that each computer on the domain has Domain Admins added to the
> administrator group on the local computer. I would like another domain
> group to be added as administrator by default except on domain
> controllers. Could this be acheived by giving the domain group 'full
> control' in the security tab of the 'Domain Computers' global group?
Facebook
Twitter
Instagram