Graham, please remember that existing local Administrators will be overwritten... Personally, I only find restricted groups useful when starting a domain from scratch. Ray -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: 08 January 2007 15:49 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: restricted groups policy Graham- You're correct on that account. You can enter the administrators groups as a free-text entry without browsing for it and because the built-in administrators group has a well-known SID, it gets resolved correctly on the local machine. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Graham Turner Sent: Monday, January 08, 2007 6:22 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] restricted groups policy Dear all, I posted a while ago re the restricted groups policy, and its use in the context of managing the membership of 'local administtators' of domain members. It was indicated that there are 2 ways of implementing this - one using the 'members of this group' and the other 'this group is a member of' the latter being preferable on account if it allowing you to add to existing membership and not overwrite it it is just that when i come use the GP editor to define the policy for say GLOBALGROUP1 (as the restricted group), the pick list that i get is that from the domain is this just a red-herring in that even though i select 'MYDOM\Administrators' it will add the GLOBALGROUP1 to the local administrators group of the computer that is processing the policy ? presumably on account of the domain local administrators group having the same SID as it is what i think is termed 'well known security principal' ?? Thanks GT *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************