|
What you've described can be done with the "This
group is a member of" portion of restricted groups. This allows you to put a
particular group into another group without caring what other memberships are
contained in that group.
Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, July 27, 2006 8:56 AM To: [email protected] Subject: RE: [ActiveDir] Question on "restricted group" policy. Is there a way to set a
restricted group membership, yet allow for additional members to not be removed
when the group policy is refreshed? We have a number of engineers that we
grant local administrator privileges on a case by case basis, and the initial
reason I dismissed the use of “Restricted Groups” was due to the fact that it
prevented the ability to add any additional admins so I went back to a “Net
localgroup” script to accomplish what I was looking
for. I’m just looking for a
way to have the GPO look at the restricted group and make sure that the
groups/users I specify are a part of the restricted group, and not worry about
anything in addition that might be there. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Matt
Hargraves >From my experience, Restricted Groups
settings simply state what the computer (or domain controller if you stick the
setting in your DCs GPO) will make sure what the group memberships are going to
be when it checks the GPO. If you set the "Administrators" group to be
"Domain Admins; groupa; groupb" then when the computer applies the GPO settings,
it will check to make sure that the local Administrators group (Or domain group
for a DC) contains "Domain Admins; groupa; groupb; builtin\Administrator".
On 7/26/06, Derek Harris <[EMAIL PROTECTED]>
wrote: Yes -- I've done that,
and that's how it worked for me. From: Darren
Mar-Elia [mailto:[EMAIL PROTECTED] ]
Subject: RE:
[ActiveDir] Question on "restricted group"
policy. This somewhat depends
upon which side of Restricted Groups you're using (i.e. "Members of this Group"
or "This group is a member of"). If its the former, and you clear out the users
in the list but leave the local Administrators group under control, then it will
clear out the members of that local Admin group on the target machines (but will
leave the local Administrator account in (always)). If the latter, and you clear
out the members of the group, I think what you will find is that those
users/groups are simply left in the group that you made them members of. If you
simply delete or unlink the GPO, then the groups should be left the way they
were before you deleted/unlinked it (i.e. the group membership changes do not
get unapplied in the case of restricted group policy).
Darren Darren
Mar-Elia For comprehensive
Windows Group Policy Information, check out www.gpoguy.com -- the best
source for GPO FAQs, video training, tools and whitepapers. Also check out the
Windows Group Policy Guide, the definitive resource
for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Strongosky Hey, Created a restricted group
policy for my domain that's adds some groups to the local administrators group
of the workstations. My question is now management wants me to delete it. If I
understand the way this works is that if I delete it then it will delete the
groups that were associated with this policy thus leaving nobody in the local
admin group. Am I correct... v/r john |
- RE: [ActiveDir] Question on "restricted group" p... Darren Mar-Elia
- RE: [ActiveDir] Question on "restricted group&qu... Darren Mar-Elia
