|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
jas0n
Guest
|
 Posted: Sun Oct 21, 2007 2:42 pm Post subject: Restricted Groups |
 |
|
I'm starting to look at using restricted groups initially to set a
number of default groups on end users workstations as local admin and to
remove any unauthorised users who have local admin rights.
I've tested this and it seems to work well - i'll be setting the scope
for the policy to be the domain computers group which also includes the
member servers.
I have the need for some member servers to have a specific local admin
user who is the 3rd party support company on whatever app is installed
on the member server.
With restricted groups in place how can I set an individual user as
local admin on one server without adding them to a group that gives them
local admin rights across all domain computers?
I can't use a wmi filter as we have a mix of 2000/xp/2003 and initial
reading seems to say 2000 ignores wmi filters.
Do I create another restricted group that targets this one server and is
higher in the list - will they conflict? Is there another way? |
|
| Back to top |
|
 |
|
|
Anthony
Guest
|
| Posted: Sun Oct 21, 2007 2:42 pm Post subject: Re: Restricted Groups |
|
|
I guess it depends on how many different setups you want. You can:
- either put servers into a specific OU where different Restricted Groups
policies apply (for example, "Terminal Servers" or "SQL Servers")
- or you can filter the different policies by security group, and create a
group for each type of server or application
Hope that helps,
Anthony, http://www.airdesk.co.uk
"jas0n" <no@thank.you> wrote in message
news:MPG.21853ef0d5dcd64e989685@news.microsoft.com...
| Quote: | I'm starting to look at using restricted groups initially to set a
number of default groups on end users workstations as local admin and to
remove any unauthorised users who have local admin rights.
I've tested this and it seems to work well - i'll be setting the scope
for the policy to be the domain computers group which also includes the
member servers.
I have the need for some member servers to have a specific local admin
user who is the 3rd party support company on whatever app is installed
on the member server.
With restricted groups in place how can I set an individual user as
local admin on one server without adding them to a group that gives them
local admin rights across all domain computers?
I can't use a wmi filter as we have a mix of 2000/xp/2003 and initial
reading seems to say 2000 ignores wmi filters.
Do I create another restricted group that targets this one server and is
higher in the list - will they conflict? Is there another way? |
|
|
| Back to top |
|
|
|
|
