Re: [ActiveDir] Admin rights shouldn't be required (was AD Question for your peers-GPO)

Mon, 03 Oct 2005 21:47:56 -0700

I do too. Steve Friedl and I spent about 4 hours on that blasted app and gave up. It was writing stuff all over that hive. But I honestly do need to revisit that and see if we can do a better job on that one. I'm not happy with HKCR opened up like that either.. This is "SBSized" instructions... that is ... it's not what I'd like ...which is to kill off Quickbooks...but it's better than full local admin for the time being. 

Crawford, Scott wrote:


Nice links Susan.  Apps misbehaving like this has been my biggest pet peeve for 
years now.  I've tweaked more than my fair share of apps and I've been 
fortunate enough to never hit one that I can't make work with filemon/regmon.  
However, some of my guys are telling me they can't make Quicken work, so I was 
interested in your Quicken page, but I have to question the legitimacy of 
opening up the entire HKCR key.  Is it your experience that that's an absolute 
requirement or are there some subkeys there that can be specified more 
specifically.  I've seen some apps that I've had to open up nearly 100 subkeys 
of HKCR, so I know they can be a pain, but to me its worth it to find them.  It 
seems to me that opening HKCR could potentially be very dangerous as well.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, October 03, 2005 10:16 PM
To: [email protected]
Subject: Re: [ActiveDir] AD Question for your peers-GPO

Uh guys?  Can I be annoying and ask a stupid question here?

"Could you check with your peers about how we could define a group

policy that would add a universal group or global group automatically into
the local admin group of computers into a specific OU? I remember reading
that this is possible, but I can't find any documentation about it."


Yes it can be done, but let's step back a bit.

Why do you need local admin?  And especially on member servers?

Forgive me...but in my network this is one of the worst ways you can set up 
your workstations.  This means that the stupidest person on the planet in your 
office can infect your entire network.  You really want that?

If you are doing this because some stupid line of business app says "we won't 
support you unless you run as local admin on the desktops" [aka Quickbooks in my 
office] use Filemon and Regmon to figure out the perms to adjust and hack that 
registry/file perms to get the stupid app to work in standard user/LUA.  
http://www.sbslinks.com/lua2.htm

Even if you aren't willing to do that.. if you are doing this for the benefit of some app 
that says "you need local admin access" please give me the name so I can post 
it on the www.threatcode.com web site.

We've got to get vendors ready for Vista's LUA/UAP stuff.

Brian Desmond wrote:


Cool. I haven't used resricted groups really since it was introduced
originally. I vaguely recall heaing something about this though. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 03, 2005 9:58 PM
To: [email protected]
Subject: RE: [ActiveDir] AD Question for your peers-GPO

Brian,

the "wipe and load" behavior is a thing of the past with the introduction of
the new "MemberOf" attribute. Here's a short reply I posted on another list
a while back.

Another option is to use the "MemberOf" option in a "Restricted Groups" GPO.
Say the group is called GrpA and you want it to be a member of the
administrators group in every client in ClientsOU. You will create and apply
a group policy to ClientsOU. In that policy, you will create a restricted
group object, by adding GrpA. Then in the properties, you will choose the
"this group is a member of:" and type in "administrators".

By doing the above, the existing members of the "administrators" group are
not removed. The process will simply append GrpA to the membership list on
"administrators".

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Mon 10/3/2005 4:14 PM
To: [email protected]
Cc: '# Jose Medeiros-IBM (E-mail)'
Subject: RE: [ActiveDir] AD Question for your peers-GPO



Yes. You want to use the Restricted Groups function in the computer config
area. Be aware it is a replacement not a merge, so, things already in there
will get blasted


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Monday, October 03, 2005 4:12 PM
To: [email protected]
Cc: # Jose Medeiros-IBM (E-mail)
Subject: [ActiveDir] AD Question for your peers-GPO


We have three child domains off our root domain and basically we want to add
a global or universal group ( We are in Native mode on AD 2003) to the local
admin group on member servers & workstations in a child domain, every time a
new computer account is to AD. Is this possible using a GPO?
( Please read the message below )

Jose :-)




-----Original Message-----
From: Ebias, Danilo Sent: Monday, October 03, 2005 11:57 AM 
To:   Medeiros, Jose
Subject:      AD Question for your peers

Jose,
Could you check with your peers about how we could define a group

policy that would add a universal group or global group automatically into
the local admin group of computers into a specific OU? I remember reading
that this is possible, but I can't find any documentation about it.



Thanks,
dan

Danilo Ebias, Jr.
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7035


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to