Not sure what you mean by "as soon as they logon". Who
would the "they" be? In other words, if you need to
populate a global group into a computer local group as a one time operation, how
about putting it into your build script after the machine joins the domain? You
can certainly use startup scripts but as Jorge notes it only runs at machine
reboot and it runs in the context of the localSystem account or the machine
account if it needs network access. The simplest way to do this is to run
a net localgroup /add in a batch file, but the
security context of the batch file must have rights to resolve the global groups
in the domain that you wish to add into the local group.
In any case, you can use Restricted Groups as
well. There are two modes to it. One mode does create "exclusive
membership" meaning that any groups/users not in the list in the policy will be
removed from the local group. The other mode allows you to add a particular
group to a list of other groups and is not exclusive.
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Wednesday, July 27, 2005 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Startup Scripts...
Thanks Jorge,
I only want this script to run at Startup, it's for new servers that are
built, as soon as they logon I want the group to populate to the local group so
that our Ops team have access. The existing servers already have been done via a
previous script.
My knowledge of Restricted groups is limited, but from what I read its
quite powerful. Does Restricted Groups remove the existing members of a local
administrators group on a Server or Workstation once it's been enabled.
"Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> wrote:
oh yes they do... however only when the server is starting the startup script will run. while the server is running then the startup script will not run
Sam applies for shutdown scripts, logon scripts and logoff scripts -> only when resp. shutdown, logon, or logoff occurs
What you want to use is the restricted groups with the memberof option. (also through GPOs)
The member option dictates what the members of a group are and each member in the group but not in the list will be removed
The memberof option does not dictated who the members are. It only says that some sec. princ. is a member of a group
Cheers
#JORGE#
________________________________
From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Wed 7/27/2005 10:43 AM
To: Active
Subject: [ActiveDir] Startup Scripts...
Hi,
I planned to use a startup script to populate a global group to a local group on series of Windows 2003 Servers in a single w2k3 domain so that any new Servers which are built other than myself will be automatically populated with this group. The Servers are placed in an sub OU.
My colleague has just said Startup Scripts do not run against Servers....is this correct?
If this is, does anyone have ideas as to how I get the group to automatically populate to all new Server builds without having to do it manually.
thanks,
- Frank
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Start your day with Yahoo! - make it your home page
