Ermm. In big enterprise land you have groups which are responsible for
different things. You have desktop admins which ave control over your
desktops. Server admins which own different types of servers. They will have
a group in AD that represents them and then that’s what has rights on the
boxes to admin them. It's hard to install shit on servers w/o any rights.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Monday, October 03, 2005 11:16 PM
To: [email protected]
Subject: Re: [ActiveDir] AD Question for your peers-GPO
Uh guys? Can I be annoying and ask a stupid question here?
"Could you check with your peers about how we could define a group
policy that would add a universal group or global group automatically into
the local admin group of computers into a specific OU? I remember reading
that this is possible, but I can't find any documentation about it."
Yes it can be done, but let's step back a bit.
Why do you need local admin? And especially on member servers?
Forgive me...but in my network this is one of the worst ways you can set up
your workstations. This means that the stupidest person on the planet in
your office can infect your entire network. You really want that?
If you are doing this because some stupid line of business app says "we
won't support you unless you run as local admin on the desktops" [aka
Quickbooks in my office] use Filemon and Regmon to figure out the perms to
adjust and hack that registry/file perms to get the stupid app to work in
standard user/LUA. http://www.sbslinks.com/lua2.htm
Even if you aren't willing to do that.. if you are doing this for the
benefit of some app that says "you need local admin access" please give me
the name so I can post it on the www.threatcode.com web site.
We've got to get vendors ready for Vista's LUA/UAP stuff.
Brian Desmond wrote:
Cool. I haven't used resricted groups really since it was introduced
originally. I vaguely recall heaing something about this though.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, October 03, 2005 9:58 PM
To: [email protected]
Subject: RE: [ActiveDir] AD Question for your peers-GPO
Brian,
the "wipe and load" behavior is a thing of the past with the
introduction of the new "MemberOf" attribute. Here's a short reply I
posted on another list a while back.
Another option is to use the "MemberOf" option in a "Restricted Groups"
GPO.
Say the group is called GrpA and you want it to be a member of the
administrators group in every client in ClientsOU. You will create and
apply a group policy to ClientsOU. In that policy, you will create a
restricted group object, by adding GrpA. Then in the properties, you
will choose the "this group is a member of:" and type in "administrators".
By doing the above, the existing members of the "administrators" group
are not removed. The process will simply append GrpA to the membership
list on "administrators".
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Mon 10/3/2005 4:14 PM
To: [email protected]
Cc: '# Jose Medeiros-IBM (E-mail)'
Subject: RE: [ActiveDir] AD Question for your peers-GPO
Yes. You want to use the Restricted Groups function in the computer
config area. Be aware it is a replacement not a merge, so, things
already in there will get blasted
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Monday, October 03, 2005 4:12 PM
To: [email protected]
Cc: # Jose Medeiros-IBM (E-mail)
Subject: [ActiveDir] AD Question for your peers-GPO
We have three child domains off our root domain and basically we want
to add a global or universal group ( We are in Native mode on AD 2003)
to the local admin group on member servers & workstations in a child
domain, every time a new computer account is to AD. Is this possible using
a GPO?
( Please read the message below )
Jose :-)
-----Original Message-----
From: Ebias, Danilo
Sent: Monday, October 03, 2005 11:57 AM
To: Medeiros, Jose
Subject: AD Question for your peers
Jose,
Could you check with your peers about how we could define a group
policy that would add a universal group or global group automatically
into the local admin group of computers into a specific OU? I remember
reading that this is possible, but I can't find any documentation about it.
Thanks,
dan
Danilo Ebias, Jr.
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7035
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
