I've done some testing on this and have found that the "MemberOf" policy, where DOMAIN\Group is to be a member of BUILTIN\Administrators, must be created on the DC itself. From a client workstation, neither the GPMC nor the Security Templates mmc snap-in allow you to do this.
If you only create "MemberOf" policy, then it functions like an "add" or "merge". This works well for me where I have different DOMAIN\user accounts as members of the BUILTIN\Administrators group for various reasons. Again, thanks to all for your comments and suggestions. __________________ Todd Povilaitis LAN Administrator Huntington Hospital [EMAIL PROTECTED] Phone: (626) 397-3392 Fax: (626) 397-2901 -----Original Message----- From: Willem Kasdorp [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 13:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... Yes, that is the one. I consider it a must-have feature. Consider the common situation where you want to add a helpdesk group to the local admins of the workstations. Sure, I can script it, but if I have a GP then it is so much easier. When I first experimented with GP's I thought I had encountered a bug when it didn't work. It is still a bit convoluted. You would expect two modes: add to group, or replace group membership. Still, better than nothing! -- Regards, Willem -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Free, Bob Verzonden: zondag 29 februari 2004 22:27 Aan: [EMAIL PROTECTED] Onderwerp: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... Eric Fleischman <mailto:[EMAIL PROTECTED]> wrote: > Willem do you happen to have the article that talks about it handy? I > couldn't track it down. This one? 810076 - Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Willem > Kasdorp Sent: Sunday, February 29, 2004 9:15 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > > It's true. There is a XP post-SP1 hotfix for that. It works through > Member > Of, that no longer removes all members but just adds the one you > need. I believe it works by default on W2003. I just deployed that > capability. > > >> 3. Do something around restricted groups GPO though this is tough to >> do when you want different admins on different boxes. > > Can't you set restricted groups to do an 'add' rather than a > 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that > was made. If there > is doubt that I can dig up some documentation on it....I'd swear I > read this > before but it has been a while. > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, February 27, 2004 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > You can't stop them from removing it. > > I would think to use one of several solutions once it is removed > however. I > will let you pick. > > 1. Have a script that watches for the removal of your group from the > local > admins group. If it occurs, the machine gets kicked out of the domain. > They > should get the hint shortly. > > 2. Have a startup script from a GPO put the group back in the admins > group > every time the machine reboots. > > 3. Do something around restricted groups GPO though this is tough to > do when > you want different admins on different boxes. > > 4. Set up a special service that monitors that group and makes sure > the remote management group is always there. You could write it to be > fast enough to put it back before their command that removes it > returns from removing. > > > When you are an admin of a box it is very difficult to be stopped from > doing > things on the box. > > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Todd > Povilaitis Sent: Friday, February 27, 2004 6:02 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management > group from local admins... > > We have a few developers where their domain user account is a member > of Local Admins group. With this privilege, some have elected to > delete the > DOMAIN\Remote Management group from the Local Admins group. Among > other things, this interferes with maintenance routines utilizing WMI > and or Remote Scripting. Is there any to delete inhibit DOMAIN\Remote > Management > group from Local Admins? > > __________________ > Todd Povilaitis > LAN Administrator > Huntington Hospital > [EMAIL PROTECTED] > Phone: (626) 397-3392 > Fax: (626) 397-2901 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
