RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...

[joe]

Cool, that is a nice change.   Any recommendations I had would be around making it less confusing / more intuitive. Shouldn't need a KB article to understand what happens when you populate the restricted group. Maybe break it up into a couple of things   1. Replace membership 2. Add to membership 3. Remove from membership   Good memory. :o)   ------------- http://www.joeware.net   (download joeware) http://www.cafeshops.com/joewarenet  (wear joeware)       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, February 29, 2004 11:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... With that in mind I�d be interested in hearing thoughts/criticisms of this feature. I can take them back to the GP team for consideration going forward.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Sunday, February 29, 2004 10:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...   Man! You guys are good :) Thanks for digging this up.     Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: Free, Bob Sent: Sun 2/29/2004 1:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins... Eric Fleischman <mailto:[EMAIL PROTECTED]> wrote:   > Willem do you happen to have the article that talks about it handy? I > couldn't track it down.   This one?   810076 - Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076     > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Willem > Kasdorp Sent: Sunday, February 29, 2004 9:15 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > > It's true. There is a XP post-SP1 hotfix for that. It works through > Member > Of, that no longer removes all members but just adds the one you > need. I believe it works by default on W2003. I just deployed that > capability. > > >> 3. Do something around restricted groups GPO though this is tough to >> do when you want different admins on different boxes. > > Can't you set restricted groups to do an 'add' rather than a > 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that > was made. If there > is doubt that I can dig up some documentation on it....I'd swear I > read this > before but it has been a while. > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, February 27, 2004 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > You can't stop them from removing it. > > I would think to use one of several solutions once it is removed > however. I > will let you pick. > > 1. Have a script that watches for the removal of your group from the > local > admins group. If it occurs, the machine gets kicked out of the domain. > They > should get the hint shortly. > > 2. Have a startup script from a GPO put the group back in the admins > group > every time the machine reboots. > > 3. Do something around restricted groups GPO though this is tough to > do when > you want different admins on different boxes. > > 4. Set up a special service that monitors that group and makes sure > the remote management group is always there. You could write it to be > fast enough to put it back before their command that removes it > returns from removing. > > > When you are an admin of a box it is very difficult to be stopped from > doing > things on the box. > > > > ------------- > http://www.joeware.net   (download joeware) > http://www.cafeshops.com/joewarenet  (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Todd > Povilaitis Sent: Friday, February 27, 2004 6:02 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management > group from local admins... > > We have a few developers where their domain user account is a member > of Local Admins group.  With this privilege, some have elected to > delete the > DOMAIN\Remote Management group from the Local Admins group.  Among > other things, this interferes with maintenance routines utilizing WMI > and or Remote Scripting.  Is there any to delete inhibit DOMAIN\Remote > Management > group from Local Admins? > > __________________ > Todd Povilaitis > LAN Administrator > Huntington Hospital > [EMAIL PROTECTED] > Phone: (626) 397-3392 > Fax: (626) 397-2901   List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/