[gptalk] Re: Add user to local administrators group
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 12 Jun 2007 09:13:14 -0700
That's correct Omar. That particular policy does "tattoo" the system.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Tuesday, June 12, 2007 9:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Add user to local administrators group
The one thing to watch out for- and someone please correct me if I am wrong:
If you use the restricted group settings to ADD a user or group to a local
computer group using the memberOf Section- if you remove that GPO or change
that membership the entry will still remain in the local computer group.
Example: we modify the local computer group- "Remote Desktop Users" and we
add domain\helpDesk using the memberOf restricted groups.
When we remove that GPO- the domain\helpDesk remains a member of the local
Remote Desktop Users group.
This is merely a word of caution to make sure you test this out on a single
or limited number of machines before you roll it out.
Omar
_____
From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Nelson, Jamie R Contr 72
CS/SCBAF
Sent: Tue 6/12/2007 8:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Add user to local administrators group
Neat. I never realized that before. Learn something new everyday!
//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, June 12, 2007 10:50 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Add user to local administrators group
Thorbjorn is correct here. The challenge comes when you want to add a
specific user on each machine's local administrator group. That's when
Restricted Groups policy breaks down. In that case, the scripts that Jamie
pointed to are your best bet.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Thorbjörn Sjövold
Sent: Tuesday, June 12, 2007 8:44 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Add user to local administrators group
Actually it is both possible to both mirror and add, the latter is done
using the "This group is a member of:" part of the Restricted Groups
settings, but you have to select the groups in "reverse" order, i.e. first
the group you want to add and then where you want it, while in the normal
case you select the group to manage and then who should be in it.
So if you for example want to have Domains Admins added to the local
Administrators group, you select Add Group... in the Restricted Groups node,
then select Domain Admins from your domain and in the "This group is a
member of:" you select the Administrators group. Remember to select the
local computer in the Object Picker when you browse for the local group.
HTH,
Thorbjörn Sjövold
Special Operations Software
<http://www.specopssoft.com/> www.specopssoft.com
thorbjorn.sjovold a t specopssoft.com
Download our free tool for remote Gpupdate with graphical reporting,
<http://www.specopssoft.com/products/specopsgpupdate/>
http://www.specopssoft.com/products/specopsgpupdate/
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: den 12 juni 2007 16:22
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Add user to local administrators group
Well, restricted groups policy can't just "add" someone to a group. Your
local groups will mirror what is specified in the GPO. In some cases this is
really handy because you may only want specific users/groups in there and
Restricted Groups policy will remove any user/group that is not explicitly
allowed.
However, in your case, you only want to add someone, so you will probably
need to make that change using a computer startup script.
The following link has some VBScript samples that should give you a good
start:
http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/user
sgroups/localgroups/
Regards,
//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Johnson, Matthew
Sent: Tuesday, June 12, 2007 9:04 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Add user to local administrators group
Can I use a GPO to add a user to the local administrators group on all our
pc's in our domain?
I looked at the Restricted groups setting but I don't know if this will
work. We have a windows 2000 domain.
Thanks for any help,
Matthew Johnson
CONFIDENTIALITY STATEMENT: This electronic message contains information from
Fisher-Titus Medical Center and may be protected health information or other
confidential and privileged information under law. The information is
intended to be for the use of the individual or entity named above. If you
are not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this message is prohibited. If you
have received this electronic message in error, please notify the sender
immediately by reply e-mail or telephone at 419/668-8101.
Other related posts:
