[gptalk] Re: restricted groups policy
- From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Mon, 8 Jan 2007 17:18:04 -0000
Graham, please remember that existing local Administrators will be
overwritten...
Personally, I only find restricted groups useful when starting a domain from
scratch.
Ray
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: 08 January 2007 15:49
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: restricted groups policy
Graham-
You're correct on that account. You can enter the administrators groups as a
free-text entry without browsing for it and because the built-in
administrators group has a well-known SID, it gets resolved correctly on the
local machine.
Darren
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Graham Turner
Sent: Monday, January 08, 2007 6:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] restricted groups policy
Dear all, I posted a while ago re the restricted groups policy, and its use
in the
context of managing the membership of 'local administtators' of domain
members.
It was indicated that there are 2 ways of implementing this - one using the
'members
of this group' and the other 'this group is a member of'
the latter being preferable on account if it allowing you to add to existing
membership and not overwrite it
it is just that when i come use the GP editor to define the policy for say
GLOBALGROUP1 (as the restricted group), the pick list that i get is that
from the
domain
is this just a red-herring in that even though i select
'MYDOM\Administrators' it
will add the GLOBALGROUP1 to the local administrators group of the computer
that is
processing the policy ?
presumably on account of the domain local administrators group having the
same SID
as it is what i think is termed 'well known security principal' ??
Thanks
GT
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
