Nice links Susan. Apps misbehaving like this has been my biggest pet peeve for years now. I've tweaked more than my fair share of apps and I've been fortunate enough to never hit one that I can't make work with filemon/regmon. However, some of my guys are telling me they can't make Quicken work, so I was interested in your Quicken page, but I have to question the legitimacy of opening up the entire HKCR key. Is it your experience that that's an absolute requirement or are there some subkeys there that can be specified more specifically. I've seen some apps that I've had to open up nearly 100 subkeys of HKCR, so I know they can be a pain, but to me its worth it to find them. It seems to me that opening HKCR could potentially be very dangerous as well.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, October 03, 2005 10:16 PM To: [email protected] Subject: Re: [ActiveDir] AD Question for your peers-GPO Uh guys? Can I be annoying and ask a stupid question here? "Could you check with your peers about how we could define a group policy that would add a universal group or global group automatically into the local admin group of computers into a specific OU? I remember reading that this is possible, but I can't find any documentation about it." Yes it can be done, but let's step back a bit. Why do you need local admin? And especially on member servers? Forgive me...but in my network this is one of the worst ways you can set up your workstations. This means that the stupidest person on the planet in your office can infect your entire network. You really want that? If you are doing this because some stupid line of business app says "we won't support you unless you run as local admin on the desktops" [aka Quickbooks in my office] use Filemon and Regmon to figure out the perms to adjust and hack that registry/file perms to get the stupid app to work in standard user/LUA. http://www.sbslinks.com/lua2.htm Even if you aren't willing to do that.. if you are doing this for the benefit of some app that says "you need local admin access" please give me the name so I can post it on the www.threatcode.com web site. We've got to get vendors ready for Vista's LUA/UAP stuff. Brian Desmond wrote: >Cool. I haven't used resricted groups really since it was introduced >originally. I vaguely recall heaing something about this though. > > >Thanks, >Brian Desmond >[EMAIL PROTECTED] > >c - 312.731.3132 > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] >Sent: Monday, October 03, 2005 9:58 PM >To: [email protected] >Subject: RE: [ActiveDir] AD Question for your peers-GPO > >Brian, > >the "wipe and load" behavior is a thing of the past with the introduction of >the new "MemberOf" attribute. Here's a short reply I posted on another list >a while back. > >Another option is to use the "MemberOf" option in a "Restricted Groups" GPO. >Say the group is called GrpA and you want it to be a member of the >administrators group in every client in ClientsOU. You will create and apply >a group policy to ClientsOU. In that policy, you will create a restricted >group object, by adding GrpA. Then in the properties, you will choose the >"this group is a member of:" and type in "administrators". > >By doing the above, the existing members of the "administrators" group are >not removed. The process will simply append GrpA to the membership list on >"administrators". > >HTH > > >Sincerely, > >Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I >Microsoft MVP - Directory Services >www.readymaids.com - we know IT >www.akomolafe.com >Do you now realize that Today is the Tomorrow you were worried about >Yesterday? -anon > >________________________________ > >From: [EMAIL PROTECTED] on behalf of Brian Desmond >Sent: Mon 10/3/2005 4:14 PM >To: [email protected] >Cc: '# Jose Medeiros-IBM (E-mail)' >Subject: RE: [ActiveDir] AD Question for your peers-GPO > > > >Yes. You want to use the Restricted Groups function in the computer config >area. Be aware it is a replacement not a merge, so, things already in there >will get blasted > > >Thanks, >Brian Desmond >[EMAIL PROTECTED] > >c - 312.731.3132 > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose >Sent: Monday, October 03, 2005 4:12 PM >To: [email protected] >Cc: # Jose Medeiros-IBM (E-mail) >Subject: [ActiveDir] AD Question for your peers-GPO > > >We have three child domains off our root domain and basically we want to add >a global or universal group ( We are in Native mode on AD 2003) to the local >admin group on member servers & workstations in a child domain, every time a >new computer account is to AD. Is this possible using a GPO? >( Please read the message below ) > >Jose :-) > > > >> -----Original Message----- >>From: Ebias, Danilo >>Sent: Monday, October 03, 2005 11:57 AM >>To: Medeiros, Jose >>Subject: AD Question for your peers >> >>Jose, >>Could you check with your peers about how we could define a group >> >> >policy that would add a universal group or global group automatically into >the local admin group of computers into a specific OU? I remember reading >that this is possible, but I can't find any documentation about it. > > >>Thanks, >>dan >> >>Danilo Ebias, Jr. >>ADP | National Account Services >>ProBusiness Division | Information Services >>925.737.7035 >> >> >> > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
