GPP stands for Group Policy Preferences. It is a new client side extension (CSE) for Group Policy that extends control of what you can do to things like Power Management in Windows XP, adding/changing registry entries, mapping drives/printers, copying files, etc. Believe me, that is only the beginning of what you can do. As Darren said, the days of startup/logon scripting are virtually over, unless of course you're doing something extremely complex. GPP developed from a DesktopStandard product called PolicyMaker that was sold as a third party add-on to Group Policy. It was so innovative that Microsoft bought it up and included it for FREE with Server 2008, and of course renamed it. It is basically the exact same product, although some functionality was removed from the original version and Microsoft changed the item-level targeting interface. Understand that a Server 2008 domain is not required for this. The only catch is that you have to have to run GPMC from a Server 2008 or Vista SP1 RSAT system to create and edit the policies. Of course, you'll also have to deploy the CSE to your Windows XP, Vista, and Server 2003 systems before they'll be able to read and understand the GPP specific settings. Unfortunately, GPP is not available for Windows 2000. Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Shane Williford Sent: Wednesday, June 18, 2008 11:09 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Adding an account to a local group May I ask what GPP is? Is that new in Vista/2K8? Shane M. Williford Systems Administrator MCSE, MCSA Sec, Sec+, Net+, A+ Mazuma Credit Union 9300 Troost Kansas City, MO 64131 shane.williford@xxxxxxxxxx 816-361-4194 x6012 From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, June 18, 2008 11:08 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Adding an account to a local group Yep. My new mantra is that with GPP, you should never have to run a script (logon or startup) based configuration task again. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason B. Halladay Sent: Wednesday, June 18, 2008 8:42 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Adding an account to a local group Thanks Darren. I'll take a look (again) at that. I remembered that we also use the start script to remove certain groups from the local administrators group so we'll need to continue with the scripts or go to GPPs. I just worked with GPPs yesterday for the first time (in a class) and am very impressed with what can be done now using said GPPs. Many of the tasks that we currently use GPO startup scripts to do can now be done much easier and cleaner using GPPE. Now to deploy the GPP CSEs to all our clients.... :) Jason On 6/18/08 8:48 AM, Darren Mar-Elia wrote: Jason- There are two sides to Restricted Groups. If you open the dialog you see "Members of this Group" at the top and "This group is a member of" at the bottom. So, lets say you wanted to add the "Help Desk Admins" group to the local Administrators group on a set of workstations. You would right-click the Restricted Groups node, choose Add Group and enter in or browse "Help Desk Admins". Then, in the "This group is a member of" dialog, you would add the local Administrators group and, voilá! Hope that helps. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason B. Halladay Sent: Wednesday, June 18, 2008 7:41 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Adding an account to a local group Hi Jamie, I am one of those that believe Restricted Groups doesn't just "add" an account to the local administrators group without removing any other members. Can you explain (or point me to a reference on) how to use "restricted groups" to simply add another member without removing any members? We most commonly use group policy to run a startup script that adds members to the local administrators group. This works well but if using the restricted groups policy would work, that would be one less script we'd have to maintain. Thanks, Jason On 6/13/08 7:58 AM, Nelson, Jamie wrote: You can do this with Restricted Groups policy. Normally people think of it as only able to mirror the membership listed (I was one of them), but you can actually use it to "add" a member without removing any of the existing ones. Other options would be to use a computer startup script, or the GPP extensions. GPP doesn't REQUIRE 2008 Server to work; you just have to have it or Vista SP1 (with RSAT pack) from which to create/edit GPOs utilizing those extensions. Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathan Finkbiner Sent: Friday, June 13, 2008 7:21 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Adding an account to a local group I would like to add an account to the local administrators group on an OU. I've been browsing through Computer Configuration options and I don't see anything promising. Does anyone one have a suggestion? No, I do not have the ability to use server 2008 options. J Jonathan Finkbiner Support Analyst Information Services Lifestyle Family Fitness ________________________________ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.