Group Policy preferences in AD 2008 actually allows you to add/remove/update groups without deleting all previous group members, unlike group policy in 2003.
-----Original Message----- From: John Bowles [mailto:[email protected]] Sent: Wednesday, January 20, 2010 10:48 AM To: NT System Admin Issues Subject: RE: GPO Best Practices Thanks to everyone for their ideas. This was very helpful! John Bowles ________________________________________ From: Andy Ognenoff [[email protected]] Sent: Wednesday, January 20, 2010 10:30 AM To: NT System Admin Issues Subject: RE: GPO Best Practices OU structure aside (separating them is good practice for all of the reasons stated) - your first thought to use Restricted Groups was definitely a way to accomplish the task - that's exactly what we do here. Just use the "This group is a member of:" box with "Administrators" added to it and leave the "Members of this group:" box empty. This makes your AD security group become a part of the Local Administrators group on whatever machines the GPO is applied to - adding to it, rather than replacing it. - Andy O. ________________________________________ From: John Bowles [mailto:[email protected]] Sent: Wednesday, January 20, 2010 9:00 AM To: NT System Admin Issues Subject: GPO Best Practices I have a customer who is looking to implement a GPO to add Domain Admins to all the workstations and servers. I was looking into using Restricted Groups to tackle this task, but it seems if you use Restricted Groups you will lose anything outside of the groups you have listed in the restricted groups, that reside in local admin group of workstations or servers. My question is, if I recall a finely tuned AD the concept was to have your workstations and servers in seperate OU's right? This way you can have seperate sets of GPO's for each class, either workstations or servers? Or, is there just a flat out easier way to push certain accounts to the servers and workstations? Thanks, John Bowles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
