On Tue, Jun 30, 2015 at 10:40 AM, Boyles, Peter J {BIS}
<[email protected]> wrote:
>
>
> You can replace the groups in the local administrators group. Be careful
> with this as you can inadvertently nuke accounts you did not intend to
> remove.
>
>
>
> If you do this you must include every account you want in the local
> administrators account in the GPO.
For the servers, I don't want any account in the local administrators
group, except the local administrator.
> Here is a write up on using restricted groups in a GPO to replace or add to
> a local group on a system.
>
> http://rdpfiles.com/2011/04/11/managing-local-groups-with-group-policy/
Still not clear to me how to remove a domain group that's already a
member. I suppose I might be able to specify that only the local
administrator should be a member of the restricted group, I dunno.
> Can you link the workstation admin GPO to just to the workstation OUs?
Probably. I didn't make any of these changes, I only found out about
them today ... I'd rather have this restricted group on that OU only
(actually, I might want to use the GPP Local Users and Groups, it's
supposed to be better for that).
