----- Original Message -----
Sent: Saturday, August 02, 2003 1:23
PM
Subject: [ActiveDir] OT (sort of)
Determining if Group membership is set by policy
All,
(sorry about the OT post)
We are currently redoing some of the group
membership management on machines in the organisation, and have done up a tool
to set the local admin membership on some of our machines. Problem I
have is that a number of these have the local admin membership set by AD group
policy.
Is there a way through code to determine if the
local admin group membership is set by policy so I can inform the user and
deny any changes to the group through the tool we have done ? I'm not really
concerned specifically what the policy is doing, merely if there is
one.
Problem we are having is that local admin
membership to workstations is set via GPO's on each container, but due to the
OU breakdown of machines, users are getting local admin to more machines than
we want. We have come up with a way to enforce a specific local admin
membership (and will automatically fix it if they change it), but need to
know if there is already a policy for that machine which is setting the local
admin membership.
If anyone has another way of doing this, thoughts
would be appreciated. And no, one container per computer and using GPO's
isn't going to cut it, nor will letting them have a free-for-all to local
admin group membership...sorry *grin*
TIA
Glenn
