Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Change Local Security through GPO

Status
Not open for further replies.
cygnetrower1

cygnetrower1

IS-IT--Management
Feb 14, 2002
37
GB
I'd like to change the the local security settings on all client PCs to add a new domain secuirty group to their local administrator group. This is so I can remove the help desk users from Domain Admins but still allow them to support client Pcs. (all pcs are win2000/xp)

I'm sure I can do this via a GPO and so control it through AD but haven't been able to work out how.

Can anyone help ?.
 
Sort by date Sort by votes
What part are you stuck on? How to configure GP's in general, finding the correct policy or having the policy not being enforced once it hits the desktop?

Sounds like Restricted Groups may be your solution, but we need more info!

/Siddharth
 
Upvote 0 Downvote
This is what I have done so far.
Created a new Domain Global Group and added the required users to it.
Created an OU and moved some tests PC's into it
Created a GPO for this OU in computer configuration\windows settings\restricted groups adding the domain global group

I thought this should do it.
The GPO runs on the PC - I can see that it has in the event log but new group has not been added to the local administrators group.
 
Upvote 0 Downvote
So in your event log on the client machines, you are seeing SceCli 1704 (successfully processed group policy)?

/Siddharth
 
Upvote 0 Downvote
Yes, that's the message.

Can you see if i have missed anything ?

Damian.
 
Upvote 0 Downvote
Restricted groups LIMIT the membership to specific named members or groups. I don't think the intent was to POPULATE.

It will strip members/groups not on the list from the membership of the restricted group on policy refresh.

Try using cusrmgr.exe from the w2k reskit to populate the local admininstrators group on each workstation remotely.

John
MOSMWNMTK
 
Upvote 0 Downvote
It will strip and re-populate the group with who you want. Should work fine if configured correctly.

228496 HOW TO: Use Restricted Groups in Windows 2000

From the article:
Membership Is Strictly Enforced:

- For the restricted group, any user or group that is included in that restricted group's member list is added to the group.

- Any user or group that is currently a member of the group, but is not listed in the restricted group's member list is removed.

So you get both.

/Siddharth
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
376
hairlessupportmonkey
hairlessupportmonkey
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
442
technome
technome
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
344
RRankin355
RRankin355
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
331
on3mansh0w
on3mansh0w
juliog
  • Locked
  • Question
Unable to get Server 2019 GPO Redirected Folders to Work on Windows 7
Replies
1
Views
312
tacohunter
tacohunter

Part and Inventory Search

Sponsor

Back
Top