[gptalk] Re: Adding an account to a local group

  • From: "Harry Singh" <hboogz@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 2 Jul 2008 19:02:09 -0400

Hey Darren -

sorry for getting on this late, but this same scenario just came up.

based on what you mentioned above:

"There are two sides to Restricted Groups. If you open the dialog you see
"Members of this Group" at the top and "This group is a member of" at the
bottom. So, lets say you wanted to add the "Help Desk Admins" group to the
local Administrators group on a set of workstations. You would right-click
the Restricted Groups node, choose Add Group and enter in or browse "Help
Desk Admins". Then, in the "This group is a member of" dialog, you would add
the local Administrators group and, voilá!"

When you "Add Group" for the first time and add the HelpDesk ADmin group you
are then  presented with, as you said, "Members of this Group" and "This
group is a member of". You don't mention to populate anything in "Members of
this Group" , is this because we added the group to begin with when we first
added it ? Also, when adding a local group you don't have to put the group
in quotations, right ? i.e. Local Administrators or "Local Administrators"

Thanks all

On Wed, Jun 18, 2008 at 3:02 PM, Shane Williford <shane.williford@xxxxxxxxxx>
wrote:

>  Thank you Jamie…I'll read up on it. I appreciate all the info! J
>
>
>
> Shane M. Williford
>
> Systems Administrator
>
> MCSE, MCSA Sec, Sec+, Net+, A+
>
> Mazuma Credit Union
>
> 9300 Troost
>
> Kansas City, MO 64131
>
> shane.williford@xxxxxxxxxx
>
> 816-361-4194 x6012
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Nelson, Jamie
> *Sent:* Wednesday, June 18, 2008 2:00 PM
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> Shane,
>
>
>
> Yes, you can use it; and yes, you need at least one Server 2008 or Vista
> SP1 system from which to create/edit GPOs using that CSE.
>
>
>
> The other thing you'll have to do is deploy the CSE to all of the systems
> you want to manage. List member Jakob Heidelberg wrote a nifty script to
> install it via computer startup (available 
> here<http://heidelbergit.blogspot.com/2008/03/how-to-install-gpp-cses-using-startup.html>)
> or if your organization already uses WSUS, the CSEs for the different OSes
> are published there. Just keep in mind that some XP/2003 systems might need
> a prereq hotfix first.
>
>
>
> If you're interested, there is tons of reading on the subject. I've
> included a few links of interest below.
>
>
>
> Group Policy Preferences Frequently Asked Questions 
> (FAQ)<http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/preferencesfaq.mspx>
>
> Information about new Group Policy preferences in Windows Server 
> 2008<http://support.microsoft.com/kb/943729>(Includes download links for CSE)
>
> GP Policy vs. Preference vs. GP 
> preferences<http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx>(explains
>  the differences in terminology)
>
> Group Policy Preferences 
> Overview<http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en>(Microsoft
>  white paper)
>
> Group Policy Preferences 
> Screencast<http://edge.technet.com/Media/Group-Policy-Preferences-Screencast/>(Demonstration
>  of how to configure preference items)
>
> Group  Policy related changes in Windows Server 
> 2008<http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html>(WindowsSecurity.com
>  walkthrough by Jakob; Parts 3-4 are specifically
> related to GPP)
>
> * *
>
> Regards*,*
>
>
>
> *Jamie Nelson* | Infrastructure Consultant | BI&T Operations | Devon
> Energy | Work: 405.552.8054 | http://www.dvn.com
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Shane Williford
> *Sent:* Wednesday, June 18, 2008 11:31 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> Wow…if only I could get rid of, or virtually diminish logon scripting! J
>
>
>
> My org is 2K3 SP2 and clients are XP. Can I use that tool, or do I have to
> have at least 1 2K8 or vista SP1 box?
>
>
>
> Looks like I need to do more reading on this…thanks for all that info
> Jamie…it's MUCH appreciated!
>
>
>
> Shane M. Williford
>
> Systems Administrator
>
> MCSE, MCSA Sec, Sec+, Net+, A+
>
> Mazuma Credit Union
>
> 9300 Troost
>
> Kansas City, MO 64131
>
> shane.williford@xxxxxxxxxx
>
> 816-361-4194 x6012
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Nelson, Jamie
> *Sent:* Wednesday, June 18, 2008 11:28 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> GPP stands for Group Policy Preferences. It is a new client side extension
> (CSE) for Group Policy that extends control of what you can do to things
> like Power Management in Windows XP, adding/changing registry entries,
> mapping drives/printers, copying files, etc. Believe me, that is only the
> beginning of what you can do. As Darren said, the days of startup/logon
> scripting are virtually over, unless of course you're doing something
> extremely complex.
>
>
>
> GPP developed from a DesktopStandard product called PolicyMaker that was
> sold as a third party add-on to Group Policy. It was so innovative that
> Microsoft bought it up and included it for FREE with Server 2008, and of
> course renamed it. It is basically the exact same product, although some
> functionality was removed from the original version and Microsoft changed
> the item-level targeting interface.
>
>
>
> Understand that a Server 2008 domain is not required for this. The only
> catch is that you have to have to run GPMC from a Server 2008 or Vista SP1
> RSAT system to create and edit the policies. Of course, you'll also have to
> deploy the CSE to your Windows XP, Vista, and Server 2003 systems before
> they'll be able to read and understand the GPP specific settings.
> Unfortunately, GPP is not available for Windows 2000.
>
>
>
> *Jamie Nelson* | Infrastructure Consultant | BI&T Operations | Devon
> Energy | Work: 405.552.8054 | http://www.dvn.com
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Shane Williford
> *Sent:* Wednesday, June 18, 2008 11:09 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> May I ask what GPP is? Is that new in Vista/2K8?
>
>
>
> Shane M. Williford
>
> Systems Administrator
>
> MCSE, MCSA Sec, Sec+, Net+, A+
>
> Mazuma Credit Union
>
> 9300 Troost
>
> Kansas City, MO 64131
>
> shane.williford@xxxxxxxxxx
>
> 816-361-4194 x6012
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Darren Mar-Elia
> *Sent:* Wednesday, June 18, 2008 11:08 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> Yep. My new mantra is that with GPP, you should never have to run a script
> (logon or startup) based configuration task again.
>
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jason B. Halladay
> *Sent:* Wednesday, June 18, 2008 8:42 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> Thanks Darren.  I'll take a look (again) at that.  I remembered that we
> also use the start script to remove certain groups from the local
> administrators group so we'll need to continue with the scripts or go to
> GPPs.  I just worked with GPPs yesterday for the first time (in a class) and
> am very impressed with what can be done now using said GPPs.  Many of the
> tasks that we currently use GPO startup scripts to do can now be done much
> easier and cleaner using GPPE.  Now to deploy the GPP CSEs to all our
> clients....  :)
> Jason
>
> On 6/18/08 8:48 AM, Darren Mar-Elia wrote:
>
> Jason-
>
> There are two sides to Restricted Groups. If you open the dialog you see
> "Members of this Group" at the top and "This group is a member of" at the
> bottom. So, lets say you wanted to add the "Help Desk Admins" group to the
> local Administrators group on a set of workstations. You would right-click
> the Restricted Groups node, choose Add Group and enter in or browse "Help
> Desk Admins". Then, in the "This group is a member of" dialog, you would add
> the local Administrators group and, voilá!
>
>
>
> Hope that helps.
>
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx 
> [mailto:gptalk-bounce@xxxxxxxxxxxxx<gptalk-bounce@xxxxxxxxxxxxx>]
> *On Behalf Of *Jason B. Halladay
> *Sent:* Wednesday, June 18, 2008 7:41 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Adding an account to a local group
>
>
>
> Hi Jamie,
> I am one of those that believe Restricted Groups doesn't just "add" an
> account to the local administrators group without removing any other
> members. Can you explain (or point me to a reference on) how to use
> "restricted groups" to simply add another member without removing any
> members?
> We most commonly use group policy to run a startup script that adds members
> to the local administrators group. This works well but if using the
> restricted groups policy would work, that would be one less script we'd have
> to maintain.
> Thanks,
> Jason
>
> On 6/13/08 7:58 AM, Nelson, Jamie wrote:
>
> You can do this with Restricted Groups policy. Normally people think of it
> as only able to mirror the membership listed (I was one of them), but you
> can actually use it to "add" a member without removing any of the existing
> ones.
>
>
>
> Other options would be to use a computer startup script, or the GPP
> extensions. GPP doesn't REQUIRE 2008 Server to work;  you just have to have
> it or Vista SP1 (with RSAT pack) from which to create/edit GPOs utilizing
> those extensions.
>
>
>
> *Jamie Nelson* | Infrastructure Consultant | BI&T Operations | Devon
> Energy | Work: 405.552.8054 | http://www.dvn.com
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx 
> [mailto:gptalk-bounce@xxxxxxxxxxxxx<gptalk-bounce@xxxxxxxxxxxxx>]
> *On Behalf Of *Jonathan Finkbiner
> *Sent:* Friday, June 13, 2008 7:21 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Adding an account to a local group
>
>
>
> I would like to add an account to the local administrators group on an OU.
> I've been browsing through Computer Configuration options and I don't see
> anything promising. Does anyone one have a suggestion?
>
>
>
> No, I do not have the ability to use server 2008 options. J
>
>
>
> *Jonathan Finkbiner*
> *Support Analyst*
> *Information Services*
> *Lifestyle Family Fitness*
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>

Other related posts: