RE: Remove domain user from local administrators group
From: Free, Bob (RWF4_at_pge.com)
Date: 10/15/04
- Previous message: Matt Ostiguy: "Re: Interesting thing about ICF and SP2"
- Maybe in reply to: chang zhu: "Remove domain user from local administrators group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Oct 2004 12:58:45 -0700 To: <focus-ms@securityfocus.com>
>the groups/users you specify will be the ONLY ones that are members of
the administrators group.
The behavior has been modified. It depends on OS level and how you
define "MEMBERS" and "MEMBERS OF"
Using the "MEMBER" method REPLACES all members of the local group with
the domain users or groups
you list for the restricted group.
Using the "MEMBER OF" method ensures that a specific domain group is
made a member of the local group
listed (ADDs the group), but doesn't replace the other members that are
in the local group.
It can still be unpredictable if you try to combine the two but the
behavior was much improved in W2KSP4 and 2003 server.
>Be careful using restricted groups.
Wholeheartedly agree, even with the improved behavior, you need to be
very cautious or you could have undesired results.
Updates to Restricted Groups ("Member of") Behavior of User-Defined
Local Groups:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076
-----Original Message-----
From: Sullivan Tim P [mailto:tim@nativemode.com]
Sent: Tuesday, October 12, 2004 4:02 PM
To: Morosan, Bogdan; chang zhu; focus-ms@securityfocus.com
Subject: RE: Remove domain user from local administrators group
Be careful using restricted groups.
I say this because the groups/users you specify will be the ONLY ones
that are members of the administrators group.
Meaning if you have this defined in your policy:
Admiistrators
Domainname\domain administrators
That will be the only groups listed. And it will be made this way at
every reboot/GPO refresh.
Im saying this because in my lab it caught me by surprise, and at first
thought a little backwards from how a norml GPO would work. But perhaps
this is exactly the solution you need.
On the flip side, I think a Vbscript based login script add on could
take care of this problem, or a VBScript and PSExec combination.
Tim
-----Original Message-----
From: Morosan, Bogdan [mailto:Bogdan.Morosan@rompetrol.com]
Sent: Tuesday, October 12, 2004 10:33 AM
To: chang zhu; focus-ms@securityfocus.com
Subject: RE: Remove domain user from local administrators group
You can use Restricted Groups policy to control group membership.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs
/en-us/sag_scerestrictgroups.mspx
Bogi
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Matt Ostiguy: "Re: Interesting thing about ICF and SP2"
- Maybe in reply to: chang zhu: "Remove domain user from local administrators group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
