On Tue, Jun 30, 2015 at 12:04 PM, Boyles, Peter J {BIS}
<[email protected]> wrote:
> The cleanest solution is to remove the setting from the default GPO and move
> it to a GPO that only impacts client systems. Once everything gets the
> updated GPO it should remove the group from local admin on the servers.
Boss doesn't want that setting only the client computers GPO, because
if you forget to move the computer object to that OU, then this
setting doesn't take effect. He'd rather have that Restricted Group
setting in effect, and the other client PC settings not in effect,
than the other way around.
So that's what we will do.
> Anything else has a multitude of other potential issues and will complicate
> determining what the RSOP is for a specific group of computers.
I set that "Remove" option in the "Local Users and Groups" in the
computers preferences section of my servers GPO, instead.
