Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Using GPO to populate workstation Local Groups
- Thread starter stunpals
- Start date
bofhrevenge2
MIS
Yes you can use the restricted groups feture.
"Sometimes, a cigar is just a cigar." - Sigmund Freud
"Sometimes, a cigar is just a cigar." - Sigmund Freud
bofhrevenge2
MIS
"Sometimes, a cigar is just a cigar." - Sigmund Freud
- Thread starter
- #4
bofhrevenge2
After reading and trying this the only way I can get selected users to populate the local Administrators on the wkst is to create a Restricted Group with exactly the same name as the one on the wkst. Is this the correct method.??
Also I have read this article a few times and I am not getting what the This group is a member of is used for.
The example from your artice shows the propeties of the group BCN\Enterprise Admin and the This group is a member of field is filled with BCN\Enterprise Admin, which is itself..??
Am I missing something..??
After reading and trying this the only way I can get selected users to populate the local Administrators on the wkst is to create a Restricted Group with exactly the same name as the one on the wkst. Is this the correct method.??
Also I have read this article a few times and I am not getting what the This group is a member of is used for.
The example from your artice shows the propeties of the group BCN\Enterprise Admin and the This group is a member of field is filled with BCN\Enterprise Admin, which is itself..??
Am I missing something..??
bofhrevenge2
MIS
This is a tricky bit and had me for a while.
In the restricted groups pane right click and select add group, then type the name of the local group that you wish to control membership of e.g.
Group Name
----------
Power Users
The properties box will then open, cick add on the Members of this group: box and add the domain users and groups that you want to appear in the Power Users group on the workstations. Click OK and they will appear in the Members column of the previouse pane.
Group Name Members
----------- -------
Administrators BCN\Domain Admins
Power Users BCN\Office Staff
That's how i use it and it works very well, post back if you have any problems.
"Sometimes, a cigar is just a cigar." - Sigmund Freud
In the restricted groups pane right click and select add group, then type the name of the local group that you wish to control membership of e.g.
Group Name
----------
Power Users
The properties box will then open, cick add on the Members of this group: box and add the domain users and groups that you want to appear in the Power Users group on the workstations. Click OK and they will appear in the Members column of the previouse pane.
Group Name Members
----------- -------
Administrators BCN\Domain Admins
Power Users BCN\Office Staff
That's how i use it and it works very well, post back if you have any problems.
"Sometimes, a cigar is just a cigar." - Sigmund Freud
bofhrevenge2
MIS
I know you have probably worked most of that out for yourself but i thought i'd explain exactly how i do it. I haven't used the "member of" part of the feature i'm afraid, i imagine that you can force domain groups to be members of other domain groups.
"Sometimes, a cigar is just a cigar." - Sigmund Freud
"Sometimes, a cigar is just a cigar." - Sigmund Freud
bofhrevenge2
MIS
I think i see what it means, you can specify what groups a certain domain group is a member of. If this group has become a member of other groups then it will be removed from those groups and left in the approved groups. This provides a way to control the membership of high priority groups.
"Sometimes, a cigar is just a cigar." - Sigmund Freud
"Sometimes, a cigar is just a cigar." - Sigmund Freud
- Thread starter
- #8
Thanks for the confirmation, I didnt want to be using this wrong and find out later there are issues.
I have noticed that the Local Administrator account on the wkst remains in the Local Administrators group even though I am unable to add it to the Restricted Group list. Is there a way to allow other Local User accounts to be a member of a Local group on the wkst.??
eg
I had to put another Local User account on our laptops cuz I had a few users lock themselves out while away from the office. This backup account will allow them with my instructions to fix things if they were messing around.
I am still not clear on the proper use of This group is a member of or a good example, not sure that I need it but its definately confusing me.
I have noticed that the Local Administrator account on the wkst remains in the Local Administrators group even though I am unable to add it to the Restricted Group list. Is there a way to allow other Local User accounts to be a member of a Local group on the wkst.??
eg
I had to put another Local User account on our laptops cuz I had a few users lock themselves out while away from the office. This backup account will allow them with my instructions to fix things if they were messing around.
I am still not clear on the proper use of This group is a member of or a good example, not sure that I need it but its definately confusing me.
bofhrevenge2
MIS
I've never used it to add more local accounts it might work give it a try. I needed a special user that had admin rights on the local station but not the domain so i created an ordinary domain user account and then used restricted groups to add it to the local administrators group.
"Sometimes, a cigar is just a cigar." - Sigmund Freud
"Sometimes, a cigar is just a cigar." - Sigmund Freud
- Status
Similar threads
- Locked
- Question
- Locked
- Question
