No, one of the two options that restricted groups offers replaces everything. You can also create a restricted group policy for your "IT Staff Local Admin" group and force said group to be a member of Administrators.
-Anders On Tue, Jul 19, 2011 at 7:54 PM, Kennedy, Jim <kennedy...@elyriaschools.org>wrote: > Create a domain group called IT Local Admins and add the domain IT Admin > accounts you create to it. Then add that group to the computers using > restricted groups. Remember, restricted groups REPLACES everything in the > local admin group when you apply that GPO. It does not add…it replaces.*** > * > > ** ** > > *From:* David Lum [mailto:david....@nwea.org] > *Sent:* Tuesday, July 19, 2011 1:32 PM > > *To:* NT System Admin Issues > *Subject:* RE: non-local admin revisited**** > > ** ** > > A local admin account? So 50 IT folks would have 50 different local admin > accounts? Other than the deny log on locally what keeps them from creating > an admin account while logged in as admin?**** > > ** ** > > Win 7 makes alternate credentials easy enough at least…**** > > ** ** > > Dave.**** > > ** ** > > *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > *Sent:* Tuesday, July 19, 2011 10:20 AM > *To:* NT System Admin Issues > *Subject:* RE: non-local admin revisited**** > > ** ** > > +1**** > > ** ** > > *From:* Don Ely [mailto:don....@gmail.com] > *Sent:* Tuesday, July 19, 2011 1:19 PM > *To:* NT System Admin Issues > *Subject:* Re: non-local admin revisited**** > > ** ** > > Provide them with an admin account and show them how to use "run-as"... I > also disable logon locally where I can get away with it so they don't > cheat...**** > > On Tue, Jul 19, 2011 at 10:10 AM, David Lum <david....@nwea.org> wrote:*** > * > > How do you bigger org’s handle IT staff (DBA’s and the like) not being > local admins on their systems? Invariably they are used to throwing on > whatever they want and in some ways this helps the Help desk so they’re not > called to install stuff the user can install.**** > > **** > > As we move to Windows 7 my recommendation is to yank local admin perms at > the same time (yes everyone is local admin on their XP systems currently), > but I foresee pushback from Service Desk and IT folks…**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
