RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Manage ment group from local admins...

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Excellent - I've previously always worked by defining a group's Member attribute instead - it's clear now, how MemberOf should make the difference...   However, the following restriction is still not so cool: "Restricted Groups policies for the same group do not merge across GPOs. The effective policy is determined by the order of the Group Policy processing." - A choice to allow the GPO restricted group processing to "merge" or "replace" would be much better.   However, applying restricted groups this way will already solve many exising issues with this feature... Thanks a lot! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Montag, 1. M�rz 2004 05:41 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... With that in mind I'd be interested in hearing thoughts/criticisms of this feature. I can take them back to the GP team for consideration going forward.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Sunday, February 29, 2004 10:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...   Man! You guys are good :) Thanks for digging this up.     Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: Free, Bob Sent: Sun 2/29/2004 1:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... Eric Fleischman <mailto:[EMAIL PROTECTED]> wrote:   > Willem do you happen to have the article that talks about it handy? I > couldn't track it down.   This one?   810076 - Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076     > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Willem > Kasdorp Sent: Sunday, February 29, 2004 9:15 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > > It's true. There is a XP post-SP1 hotfix for that. It works through > Member > Of, that no longer removes all members but just adds the one you > need. I believe it works by default on W2003. I just deployed that > capability. > > >> 3. Do something around restricted groups GPO though this is tough to >> do when you want different admins on different boxes. > > Can't you set restricted groups to do an 'add' rather than a > 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that > was made. If there > is doubt that I can dig up some documentation on it....I'd swear I > read this > before but it has been a while. > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, February 27, 2004 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > You can't stop them from removing it. > > I would think to use one of several solutions once it is removed > however. I > will let you pick. > > 1. Have a script that watches for the removal of your group from the > local > admins group. If it occurs, the machine gets kicked out of the domain. > They > should get the hint shortly. > > 2. Have a startup script from a GPO put the group back in the admins > group > every time the machine reboots. > > 3. Do something around restricted groups GPO though this is tough to > do when > you want different admins on different boxes. > > 4. Set up a special service that monitors that group and makes sure > the remote management group is always there. You could write it to be > fast enough to put it back before their command that removes it > returns from removing. > > > When you are an admin of a box it is very difficult to be stopped from > doing > things on the box. > > > > ------------- > http://www.joeware.net   (download joeware) > http://www.cafeshops.com/joewarenet  (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Todd > Povilaitis Sent: Friday, February 27, 2004 6:02 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management > group from local admins... > > We have a few developers where their domain user account is a member > of Local Admins group.  With this privilege, some have elected to > delete the > DOMAIN\Remote Management group from the Local Admins group.  Among > other things, this interferes with maintenance routines utilizing WMI > and or Remote Scripting.  Is there any to delete inhibit DOMAIN\Remote > Management > group from Local Admins? > > __________________ > Todd Povilaitis > LAN Administrator > Huntington Hospital > [EMAIL PROTECTED] > Phone: (626) 397-3392 > Fax: (626) 397-2901   List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/