Thanks Darren. I'll take a look (again) at that. I remembered that we also use the start script to remove certain groups from the local administrators group so we'll need to continue with the scripts or go to GPPs. I just worked with GPPs yesterday for the first time (in a class) and am very impressed with what can be done now using said GPPs. Many of the tasks that we currently use GPO startup scripts to do can now be done much easier and cleaner using GPPE. Now to deploy the GPP CSEs to all our clients.... :)
Jason On 6/18/08 8:48 AM, Darren Mar-Elia wrote:
Jason-There are two sides to Restricted Groups. If you open the dialog you see "Members of this Group" at the top and "This group is a member of" at the bottom. So, lets say you wanted to add the "Help Desk Admins" group to the local Administrators group on a set of workstations. You would right-click the Restricted Groups node, choose Add Group and enter in or browse "Help Desk Admins". Then, in the "This group is a member of" dialog, you would add the local Administrators group and, voilá!Hope that helps.Darren*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On Behalf Of *Jason B. Halladay*Sent:* Wednesday, June 18, 2008 7:41 AM *To:* gptalk@xxxxxxxxxxxxx *Subject:* [gptalk] Re: Adding an account to a local groupHi Jamie,I am one of those that believe Restricted Groups doesn't just "add" an account to the local administrators group without removing any other members. Can you explain (or point me to a reference on) how to use "restricted groups" to simply add another member without removing any members? We most commonly use group policy to run a startup script that adds members to the local administrators group. This works well but if using the restricted groups policy would work, that would be one less script we'd have to maintain.Thanks, Jason On 6/13/08 7:58 AM, Nelson, Jamie wrote:You can do this with Restricted Groups policy. Normally people think of it as only able to mirror the membership listed (I was one of them), but you can actually use it to "add" a member without removing any of the existing ones.Other options would be to use a computer startup script, or the GPP extensions. GPP doesn't REQUIRE 2008 Server to work; you just have to have it or Vista SP1 (with RSAT pack) from which to create/edit GPOs utilizing those extensions.*Jamie Nelson* | Infrastructure Consultant | BI&T Operations | Devon Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/>*From:* gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On Behalf Of *Jonathan Finkbiner*Sent:* Friday, June 13, 2008 7:21 AM *To:* gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> *Subject:* [gptalk] Adding an account to a local groupI would like to add an account to the local administrators group on an OU. I've been browsing through Computer Configuration options and I don't see anything promising. Does anyone one have a suggestion?No, I do not have the ability to use server 2008 options. J*_Jonathan Finkbiner_* *Support Analyst* *Information Services* *_Lifestyle Family Fitness_** ------------------------------------------------------------------------ **Confidentiality Warning:* This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.