I recall on W2K Servers it wouldn't remove administrator but after the policy would keep trying to apply there was a leak somewhere which would eventually run the machines out of resources and they would get very "hokey"/"flakey" and not properly process NET* API calls.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, May 26, 2005 12:08 PM To: [email protected] Subject: RE: [ActiveDir] GPO to Control Local Administrators Group on Workstations The only caveat I think I would put on that is that that is not the behavior I remember in the Win2K days. So if your clients are Win2K you might want to test that. Or maybe someone can confirm on Win2K? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Steele Sent: Thursday, May 26, 2005 8:59 AM To: [email protected] Subject: Re: [ActiveDir] GPO to Control Local Administrators Group on Workstations You have read it correctly, as I understand it as well. With restricted groups, even if you do not include "Administrator" in the list of members of "Administrators" in your GPO, the local account "Administrator" on the workstation will still have full admin access to the machine. /aaron Salandra, Justin A. wrote: > If I was to modify a GPO and put in a Restricted Group on my > workstation GPO to control the Administrators Local Group would it > remove all that is in the group currently including the Administrator of the Local PC? > I read somewhere that Restricted Groups will not remove the > Administrator no matter what even if you don't include it in the group. > > If I was to just show Administrator with no domain affiliation then > this would be translated to the local Administrator account, correct? > > Justin A. Salandra > MCSE Windows 2000 & 2003 > Network and Technology Services Manager Catholic Healthcare System > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > -- Aaron Steele Enterprise Systems Administrator e:[EMAIL PROTECTED] p:773.834.9099 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
