Brian, the "wipe and load" behavior is a thing of the past with the introduction of the new "MemberOf" attribute. Here's a short reply I posted on another list a while back. Another option is to use the "MemberOf" option in a "Restricted Groups" GPO. Say the group is called GrpA and you want it to be a member of the administrators group in every client in ClientsOU. You will create and apply a group policy to ClientsOU. In that policy, you will create a restricted group object, by adding GrpA. Then in the properties, you will choose the "this group is a member of:" and type in "administrators". By doing the above, the existing members of the "administrators" group are not removed. The process will simply append GrpA to the membership list on "administrators". HTH Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 10/3/2005 4:14 PM To: [email protected] Cc: '# Jose Medeiros-IBM (E-mail)' Subject: RE: [ActiveDir] AD Question for your peers-GPO Yes. You want to use the Restricted Groups function in the computer config area. Be aware it is a replacement not a merge, so, things already in there will get blasted Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Monday, October 03, 2005 4:12 PM To: [email protected] Cc: # Jose Medeiros-IBM (E-mail) Subject: [ActiveDir] AD Question for your peers-GPO We have three child domains off our root domain and basically we want to add a global or universal group ( We are in Native mode on AD 2003) to the local admin group on member servers & workstations in a child domain, every time a new computer account is to AD. Is this possible using a GPO? ( Please read the message below ) Jose :-) > -----Original Message----- > From: Ebias, Danilo > Sent: Monday, October 03, 2005 11:57 AM > To: Medeiros, Jose > Subject: AD Question for your peers > > Jose, > Could you check with your peers about how we could define a group policy that would add a universal group or global group automatically into the local admin group of computers into a specific OU? I remember reading that this is possible, but I can't find any documentation about it. > > > Thanks, > dan > > Danilo Ebias, Jr. > ADP | National Account Services > ProBusiness Division | Information Services > 925.737.7035 > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
