I, for one, would be VERY interested in that documentation. I hope it's true and that MS has reworked the whole "Restricted Group" thingy. I personally got so badly burned by the lack of thoughts/testing that went into the original design, I have so far been scared of even thinking about anything with "Restricted" in its name.
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Eric Fleischman
Sent: Sat 2/28/2004 12:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...
I'm not a group policy expert but Joe with this point: > 3. Do something around restricted groups GPO though this is tough to do > when you want different admins on different boxes. Can't you set restricted groups to do an 'add' rather than a 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that was made. If there is doubt that I can dig up some documentation on it....I'd swear I read this before but it has been a while. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 27, 2004 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... You can't stop them from removing it. I would think to use one of several solutions once it is removed however. I will let you pick. 1. Have a script that watches for the removal of your group from the local admins group. If it occurs, the machine gets kicked out of the domain. They should get the hint shortly. 2. Have a startup script from a GPO put the group back in the admins group every time the machine reboots. 3. Do something around restricted groups GPO though this is tough to do when you want different admins on different boxes. 4. Set up a special service that monitors that group and makes sure the remote management group is always there. You could write it to be fast enough to put it back before their command that removes it returns from removing. When you are an admin of a box it is very difficult to be stopped from doing things on the box. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Povilaitis Sent: Friday, February 27, 2004 6:02 PM To: ActiveDir (E-mail) Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... We have a few developers where their domain user account is a member of Local Admins group. With this privilege, some have elected to delete the DOMAIN\Remote Management group from the Local Admins group. Among other things, this interferes with maintenance routines utilizing WMI and or Remote Scripting. Is there any to delete inhibit DOMAIN\Remote Management group from Local Admins? __________________ Todd Povilaitis LAN Administrator Huntington Hospital [EMAIL PROTECTED] Phone: (626) 397-3392 Fax: (626) 397-2901 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
