[gptalk] Re: restricted groups policy

  • From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 8 Jan 2007 17:18:04 -0000

Graham, please remember that existing local Administrators will be
overwritten... 

Personally, I only find restricted groups useful when starting a domain from
scratch.

Ray

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 08 January 2007 15:49
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: restricted groups policy

Graham-
You're correct on that account. You can enter the administrators groups as a
free-text entry without browsing for it and because the built-in
administrators group has a well-known SID, it gets resolved correctly on the
local machine. 

Darren



-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Graham Turner
Sent: Monday, January 08, 2007 6:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] restricted groups policy

Dear all, I posted a while ago re the restricted groups policy, and its use
in the
context of managing the membership of 'local administtators' of domain
members.

It was indicated that there are 2 ways of implementing this - one using the
'members
of this group' and the other 'this group is a member of'

the latter being preferable on account if it allowing you to add to existing
membership and not overwrite it

it is just that when i come use the GP editor to define the policy for say
GLOBALGROUP1 (as the restricted group), the pick list that i get is that
from the
domain

is this just a red-herring in that even though i select
'MYDOM\Administrators' it
will add the GLOBALGROUP1 to the local administrators group of the computer
that is
processing the policy ?

presumably on account of the domain local administrators group having the
same SID
as it is what i think is termed 'well known security principal' ??

Thanks

GT


***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: