Guido, Thanx for the explanation!
Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, March 02, 2004 11:43 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Manage ment group from local admins... you sort of get this by EITHER 1. using the MEMBER method => REPLACES all members of the local group with the domain users or groups you list for the restricted group OR 2. by using the MEMBER OF method => ensures that a specific domain group is made a member of the local group listed (ADDs the group), but doesn't replace the other members that are in the local group! It only gets difficult, if you want to combine the two for an overlapping set of groups (i.e. define domaingroup1 to be MEMBER OF localgroup1, while at the same time defining localgroup1 via MEMBER to contain only certain members... - this is where you can't predict the results...) /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Dienstag, 2. M�rz 2004 08:42 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Manage ment group from local admins... This new functionality offers more flexibility (I think? First it replaced the groups, now it adds the groups), but what about the situation when I would like to dictate what groups (and only those groups) are in another group without having another admin adding his own groups or removing groups (as stated below when this discussion started). So I would be more happy when I would have the choice (for each restricted group definition) of ADDING the defined groups/users to a group or REPLACING all the groups in the group with the groups that I define in the restricted groups GPO Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Kasdorp Sent: Monday, March 01, 2004 22:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... Yes, that is the one. I consider it a must-have feature. Consider the common situation where you want to add a helpdesk group to the local admins of the workstations. Sure, I can script it, but if I have a GP then it is so much easier. When I first experimented with GP's I thought I had encountered a bug when it didn't work. It is still a bit convoluted. You would expect two modes: add to group, or replace group membership. Still, better than nothing! -- Regards, Willem -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Free, Bob Verzonden: zondag 29 februari 2004 22:27 Aan: [EMAIL PROTECTED] Onderwerp: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... Eric Fleischman <mailto:[EMAIL PROTECTED]> wrote: > Willem do you happen to have the article that talks about it handy? I > couldn't track it down. This one? 810076 - Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Willem > Kasdorp Sent: Sunday, February 29, 2004 9:15 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > > It's true. There is a XP post-SP1 hotfix for that. It works through > Member Of, that no longer removes all members but just adds the one > you need. I believe it works by default on W2003. I just deployed that > capability. > > >> 3. Do something around restricted groups GPO though this is tough to >> do when you want different admins on different boxes. > > Can't you set restricted groups to do an 'add' rather than a > 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that was > made. If there is doubt that I can dig up some documentation on > it....I'd swear I read this before but it has been a while. > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, February 27, 2004 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > You can't stop them from removing it. > > I would think to use one of several solutions once it is removed > however. I will let you pick. > > 1. Have a script that watches for the removal of your group from the > local admins group. If it occurs, the machine gets kicked out of the > domain. > They > should get the hint shortly. > > 2. Have a startup script from a GPO put the group back in the admins > group every time the machine reboots. > > 3. Do something around restricted groups GPO though this is tough to > do when you want different admins on different boxes. > > 4. Set up a special service that monitors that group and makes sure > the remote management group is always there. You could write it to be > fast enough to put it back before their command that removes it > returns from removing. > > > When you are an admin of a box it is very difficult to be stopped from > doing things on the box. > > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Todd > Povilaitis Sent: Friday, February 27, 2004 6:02 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > We have a few developers where their domain user account is a member > of Local Admins group. With this privilege, some have elected to > delete the DOMAIN\Remote Management group from the Local Admins group. > Among other things, this interferes with maintenance routines > utilizing WMI and or Remote Scripting. Is there any to delete inhibit > DOMAIN\Remote Management group from Local Admins? > > __________________ > Todd Povilaitis > LAN Administrator > Huntington Hospital > [EMAIL PROTECTED] > Phone: (626) 397-3392 > Fax: (626) 397-2901 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
