deploying local admin group whith Restricted Groups GPO

[bszocs]

Hi,
I need to create a domain group which is local admin on the client computers in active directory enviroment:
I followed the instructions from:

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

How could I implemet this restricted group, which instead of replaces local admin group, only merges whith this?
The point is that the users who are local admins on the computers to remain local admins after applying the GPO.

If there is another solution, then let me know.

Thank You in advance...

 

[markdmac]

Using the Restricted Groups GPO should not replace the group memberships but instead should simply add users to the local admin group.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[58sniper]

It actually is the opposite of that. Restricted groups will replace all members of the group with those specified. That's why you need to make sure that domain admins are a member of the Restricted Groups GPO if you're dealing the local admins group.

See the section under CAUTION in

Restricted Groups

http://technet2.microsoft.com/Windo...fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true

To answer the original request, I would think you'll need to script this via VBS or other methods.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[markdmac]

I've always done it via script using NET LOCALGROUP.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[bszocs]

Thanks for the answers...
I am not totally clear whith how "net localgroup" command will do this for me, because I don't want to do this mannualy for every workstation. I could do this in a Logon script, but Logon scripts run with the credentials of the user and the user is not Local Administrator (yet ), and I think the command must be executed whith admin rights.

How could I do this?

Best Regards,
Barni

 

[bszocs]

I found the answer

http://www.joeware.net/win/free/tools/cpau.htm

Br,

 

[markdmac]

the user is not Local Administrator

This indicates you did not properly join your workstations to the SBS domain.

When joining workstations you should be using the web page:

http://servername/connectcomputer.

That automatically configures the computer for your SBS domain and sets the user as Admin. If you did nto follow that proceedure I would suggest removing the computers from the domain and doing it that way. It also migrates the users local profile over to SBS. Failure to use the wizards in SBS often results in problems down the road.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[bszocs]

Now I'm confused...
I didn't knew about this method. I made some googeling, and I didn't found anything about joining computer over http.
If you have some links covering this topic, then please post it.

Br,
Barni

 

[markdmac]

take a look in the SBS ToDo list. One of the items is to add workstations to the domain. If you follow the steps it gives you a popup on the server that tells you to run that web page I referenced from the client.

It is a fairly cool little tool. Lets you assign a user to a workstaiton, converts their profile and makes them a local admin. It then sets up the PC for use with SBS and installs some SBS software such as XP service packs if needed, ISA client etc. It will configure Outlook to always have the dumpster on for email recovery too. Bypassing that process you get none of those benefits.

If you have nto gone through each of the ToDo list items, you shoudl do so to ensure your SBS is fully setup correctly. It won't hurt anythign to run through the items even if something has been done previously.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript