Re: Help needed setting up roaming administrator

From: Paul Adare - MVP - Microsoft Virtual PC (padare_at_newsguy.com)
Date: 08/28/04 

Date: Sat, 28 Aug 2004 12:41:41 -0400

In article <cg01j0dvurfnv68e2aimppvj63es5tbf9l@4ax.com>, in the
microsoft.public.win2000.security news group, Steve Hull
<msnnews.REMOVE_TO_REPLY@steve-hull.com> says...

> Then I added a GPO to the OU and created
> an entry in Restricted Groups for the "Roaming Local Admins" security
> group.

This is where you made your error. You want to create an entry for the
Administrators group (just type in Administrators, don't browse for it,
the workstation will figure it out when the policy is applied), and then
add your Roaming Local Admins group to the Members of this group section
in the Administrators group Properties.

> Next, I set up a startup script with the "net localgroup
> administrators mydomain\Roaming Local Admins /add" command.
> (Actually, I had to put quotes around the domain name\group name.)
> That did the trick!

The reason I don't like this method is that membership is only
controlled when the computer boots. Once the system is up and running,
anyone with sufficient privileges can now change the membership of the
group and it will stay changed until the next time you reboot. With
Restricited Groups, your settings will be reapplied every time Group
Policy is refreshed.
  

-- 
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Relevant Pages

  • Re: Last Post
    ... The EC has been entrusted with IMPLEMENTING policy. ... "The affairs of CCBN shall be governed by a General Meeting held at ... lies with the membership, subject only to the provisions for the time ... say that the AGM *can* set policy, but rarely does, and when it does so it ...
    (uk.rec.naturist)
  • Re: Controlling User Policy via Computer account
    ... I actually tried what you stated regarding security group membership, ... and turning on the loopback option. ... I'm trying to get the screensaver user policy to apply based on the computer ...
    (microsoft.public.windows.group_policy)
  • Re: OT: Possible challenge to Brown
    ... We never had a unilateral policy - older ... The press reports of the speech ... which Labour politicians are going to say is not the case. ...
    (uk.media.radio.archers)
  • Re: Last Post
    ... entrusted by the members with the task of deciding policy. ... The EC has been entrusted with IMPLEMENTING policy. ... "The affairs of CCBN shall be governed by a General Meeting held at ... crop up in the dictionary definitions of both), but the latter carries the connotation of sovereignty (which no EC member I've ever met would dispute lies with the membership, subject only to the provisions for the time being of the constitution), while 'management' taken in conjunction with 'deputed' suggests a similar kind of activity but carried out, for practical necessity, by the EC instead of the membership between general meetings. ...
    (uk.rec.naturist)
  • Re: Sucsss Audit - have I been hacked ?
    ... but I will add that just checking the membership of the local ... > Yes someone cleared the security log at the time indicated. ... > the local administrators group on that server to make sure that only ... There are devices you can use to lock an existing case ...
    (microsoft.public.win2000.security)