[gptalk] Re: Adding an account to a local group

• From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Wed, 18 Jun 2008 11:27:31 -0500

GPP stands for Group Policy Preferences. It is a new client side extension 
(CSE) for Group Policy that extends control of what you can do to things like 
Power Management in Windows XP, adding/changing registry entries, mapping 
drives/printers, copying files, etc. Believe me, that is only the beginning of 
what you can do. As Darren said, the days of startup/logon scripting are 
virtually over, unless of course you're doing something extremely complex.

 

GPP developed from a DesktopStandard product called PolicyMaker that was sold 
as a third party add-on to Group Policy. It was so innovative that Microsoft 
bought it up and included it for FREE with Server 2008, and of course renamed 
it. It is basically the exact same product, although some functionality was 
removed from the original version and Microsoft changed the item-level 
targeting interface.

 

Understand that a Server 2008 domain is not required for this. The only catch 
is that you have to have to run GPMC from a Server 2008 or Vista SP1 RSAT 
system to create and edit the policies. Of course, you'll also have to deploy 
the CSE to your Windows XP, Vista, and Server 2003 systems before they'll be 
able to read and understand the GPP specific settings. Unfortunately, GPP is 
not available for Windows 2000.

 

Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | 
Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Shane Williford
Sent: Wednesday, June 18, 2008 11:09 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Adding an account to a local group

 

May I ask what GPP is? Is that new in Vista/2K8?

 

Shane M. Williford

Systems Administrator

MCSE, MCSA Sec, Sec+, Net+, A+

Mazuma Credit Union

9300 Troost

Kansas City, MO 64131

shane.williford@xxxxxxxxxx

816-361-4194 x6012

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Wednesday, June 18, 2008 11:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Adding an account to a local group

 

Yep. My new mantra is that with GPP, you should never have to run a script 
(logon or startup) based configuration task again.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason B. Halladay
Sent: Wednesday, June 18, 2008 8:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Adding an account to a local group

 

Thanks Darren.  I'll take a look (again) at that.  I remembered that we also 
use the start script to remove certain groups from the local administrators 
group so we'll need to continue with the scripts or go to GPPs.  I just worked 
with GPPs yesterday for the first time (in a class) and am very impressed with 
what can be done now using said GPPs.  Many of the tasks that we currently use 
GPO startup scripts to do can now be done much easier and cleaner using GPPE.  
Now to deploy the GPP CSEs to all our clients....  :)
Jason

On 6/18/08 8:48 AM, Darren Mar-Elia wrote: 

Jason-

There are two sides to Restricted Groups. If you open the dialog you see 
"Members of this Group" at the top and "This group is a member of" at the 
bottom. So, lets say you wanted to add the "Help Desk Admins" group to the 
local Administrators group on a set of workstations. You would right-click the 
Restricted Groups node, choose Add Group and enter in or browse "Help Desk 
Admins". Then, in the "This group is a member of" dialog, you would add the 
local Administrators group and, voilá!

 

Hope that helps.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason B. Halladay
Sent: Wednesday, June 18, 2008 7:41 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Adding an account to a local group

 

Hi Jamie,
I am one of those that believe Restricted Groups doesn't just "add" an account 
to the local administrators group without removing any other members. Can you 
explain (or point me to a reference on) how to use "restricted groups" to 
simply add another member without removing any members?  
We most commonly use group policy to run a startup script that adds members to 
the local administrators group. This works well but if using the restricted 
groups policy would work, that would be one less script we'd have to maintain.
Thanks,
Jason

On 6/13/08 7:58 AM, Nelson, Jamie wrote: 

You can do this with Restricted Groups policy. Normally people think of it as 
only able to mirror the membership listed (I was one of them), but you can 
actually use it to "add" a member without removing any of the existing ones.

 

Other options would be to use a computer startup script, or the GPP extensions. 
GPP doesn't REQUIRE 2008 Server to work;  you just have to have it or Vista SP1 
(with RSAT pack) from which to create/edit GPOs utilizing those extensions.

 

Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | 
Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jonathan Finkbiner
Sent: Friday, June 13, 2008 7:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Adding an account to a local group

 

I would like to add an account to the local administrators group on an OU. I've 
been browsing through Computer Configuration options and I don't see anything 
promising. Does anyone one have a suggestion? 

 

No, I do not have the ability to use server 2008 options. J

 

Jonathan Finkbiner 
Support Analyst 
Information Services 
Lifestyle Family Fitness 

 

________________________________

Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

 

 

• Follow-Ups:
  • [gptalk] Re: Adding an account to a local group
    • From: Shane Williford

• References:
  • [gptalk] Adding an account to a local group
    • From: Jonathan Finkbiner
  • [gptalk] Re: Adding an account to a local group
    • From: Nelson, Jamie
  • [gptalk] Re: Adding an account to a local group
    • From: Jason B. Halladay
  • [gptalk] Re: Adding an account to a local group
    • From: Darren Mar-Elia
  • [gptalk] Re: Adding an account to a local group
    • From: Jason B. Halladay
  • [gptalk] Re: Adding an account to a local group
    • From: Darren Mar-Elia
  • [gptalk] Re: Adding an account to a local group
    • From: Shane Williford

Other related posts:

• » [gptalk] Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group
• » [gptalk] Re: Adding an account to a local group

1. Home
2. gptalk
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---