|
you can only change the groups on those machines, to which
the GPOs apply. If you apply a restricted groups GPO to an OU and try to
add members to the Ent.Admin. group, you'll fail, as this group is maintained by
the root DCs only. And I would never advise you to use the restricted
groups policy on your DCs themselves - it's definitely geared to be used for
members/clients of a domain.
Even though you can't browse the groups of the
member-machines, you can just type their names (which is ugly in an
multi-language environment...).
When using the MemberOf option, you'd e.g. add the
"<forestroot>\Enterprise Admins" group to the restricted groups list and
then add the names of the local machine-group, i.e. "Administrators" to the
MemberOf tab => this will ensure, that the Enterprise Admins are members of
the Adminsitrators group on every machine in that OU. At the same time, the
other members of the Adminstrators group remain in this group as
well.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Mittwoch, 21. April 2004 16:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] enterprise-wide accounts Guido, et al…I have tried this in my test domain – I applied the GPO to the OU where my servers are, as well as an OU I created where my workstations are. The group I added is the Enterprise Admins group.
Now I think I just need some clarification on the members and member of settings.
First, re: Members…since this GPO applies to the specific OU, is this saying that only the accounts that I place in members on this Enterprise Admins group object will in fact be Enterprise Admins, and that they will only be Enterprise Admins with respect to this OU? That seems weird, but otherwise, why would this members option be included in the GPO?
Second, re: Members Of. If my goal is to make the Enterprise Admins members of the Local Administrators group on the machines in the OU, but the only objects I can choose from are domain objects (not the local objects) what group do I choose to make this happen?
Third, why do the Members and Members Of options say “This group should contain no members” and “The groups to which this group belongs should not be modified” respectively, even though it will let me do either or both?
Sorry for the lengthy query – I’m just confused (can you tell??) J
Thanks for your help on this issue!
<mc> -----Original
Message-----
domain admins is a global group and as such you can't add users from other domains to it. While other global groups can be converted to universal groups, you can't do so for the domain admins group.
a solution to your problem is to use the restricted groups GPO feature (which will not work for your legacy machines in the AD domain) to add a universal group to the administrators group of all Server-OUs. I wouldn't want to set this GPO at the domain level, as then you're putting your AD domains at risk as well, if you do something wrong... The UG to use can either be the Enterprise Admins group or any other UG you assign for the task.
/Guido
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Depp, Dennis
M. What about adding them to each domain admins group for each domain?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Creamer,
Mark We’d like to eventually trim down the number of domains and get to an OU-based administrative model. But in the mean time, we have identified a couple of people that we want to have domain admin rights in all domains. I know that making them an enterprise admin allows them domain admin rights on the DCs in each domain because of membership in the BUILTIN\Administrators group in each domain. But that doesn’t allow logon to all the member servers. How do I best grant “domain admin-level” rights across all domains in the forest with a single logon for each of these persons? Looking for a best practice.
Thanks!
Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
|
- RE: [ActiveDir] enterprise-wide accounts Depp, Dennis M.
- RE: [ActiveDir] enterprise-wide accounts Cary, Mark
- RE: [ActiveDir] enterprise-wide accounts Grillenmeier, Guido
- RE: [ActiveDir] enterprise-wide accounts Mike Celone
- RE: [ActiveDir] enterprise-wide accounts Matjaž Ladava
- RE: [ActiveDir] enterprise-wide accounts Grillenmeier, Guido
- RE: [ActiveDir] enterprise-wide accounts Celone, Mike
- RE: [ActiveDir] enterprise-wide accounts Grillenmeier, Guido
- RE: [ActiveDir] enterprise-wide accounts Creamer, Mark
