Re: Help needed setting up roaming administrator

• Previous message: Steven L Umbach: "Re: Oodles of 529 Logon Failures every 2:00 AM"
• In reply to: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 28 Aug 2004 15:41:10 -0400

On Sat, 28 Aug 2004 12:41:41 -0400, Paul Adare - MVP - Microsoft
Virtual PC <padare@newsguy.com> wrote:

>In article <cg01j0dvurfnv68e2aimppvj63es5tbf9l@4ax.com>, in the
>microsoft.public.win2000.security news group, Steve Hull
><msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
>
>> Then I added a GPO to the OU and created
>> an entry in Restricted Groups for the "Roaming Local Admins" security
>> group.
>
>This is where you made your error. You want to create an entry for the
>Administrators group (just type in Administrators, don't browse for it,
>the workstation will figure it out when the policy is applied), and then
>add your Roaming Local Admins group to the Members of this group section
>in the Administrators group Properties.

I can't figure out how to implement your suggestions. I modified the
GPO associated with the OU that contains the computers I want to use
with my Roaming Local Admins group. In that GPO, in the Restricted
Groups section, I ran "Add Group" and added the Roaming Local Admins
group. Then I double-clicked on the group name (Roaming Local Admins)
and it brought up a dialog box that lets me add members to the
restricted group and to define the groups the restricted group will
belong to. In the top half of the dialog box, I added 2 domain users
(Adam and Bob) to the Roaming Local Admins group. In the bottom half
of the dialog box, I typed in "Administrators" to indicate that we
want the Restricted Group to be a member of the Administrators group.

When I log into one of the designated workstation as Adam (or Bob), I
do not have local Admin privileges.

   ------ Chapter 2 -----
Ok, so maybe I didn't interpret your instructions correctly. I
deleted all my entries in the GPO and started again. In the GPO, I
right-click on "Restricted Groups" and select "Add Group". For a
group name, I used "Administrators". I right-click on the new,
"Administrators" Restricted Group and don't get a Properties
selection, per se. But there is a Security Option that lets me add
members to the group, and to define which groups my new,
"Administrators" group will belong. In fact, this is the same screen
I got to with my first attempt. Once again, I add Adam and Bob to the
list of members, and also enter "Administrators" in the bottom half of
the screen to indicate that this Restricted Group should be a member
of the Administrators group after we log on.

When I log on at the workstation, I get the following error message:
"Windows cannot create profile directory
\\MyServerName\Users\Adam.pds. You will be logged on with a local
profile only. Changes to the profile will not be propagated to the
server...."

>
>> Next, I set up a startup script with the "net localgroup
>> administrators mydomain\Roaming Local Admins /add" command.
>> (Actually, I had to put quotes around the domain name\group name.)
>> That did the trick!
>
>The reason I don't like this method is that membership is only
>controlled when the computer boots. Once the system is up and running,
>anyone with sufficient privileges can now change the membership of the
>group and it will stay changed until the next time you reboot. With
>Restricited Groups, your settings will be reapplied every time Group
>Policy is refreshed.
>

Anyone with sufficient privileges can change the GPO :)

Thanks,

- Steve

• Previous message: Steven L Umbach: "Re: Oodles of 529 Logon Failures every 2:00 AM"
• In reply to: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Domain Users to have Local Admin rights ... members inside the Restricted Group, but it still doesn't wanna work. ... all machines that are with scope of the GPO carrying the Restricted ... their local Administrators group. ... group you define a Restricted Group definition, ... (microsoft.public.windows.server.security) This can be done easily via GPO ... This is very easy to do and it can be done with a GPO setting. ... you want to restrict the local Administrators group on all Windows ... GP refresh interval) it will remove other members of the local ... (microsoft.public.windows.server.active_directory) Re: Add a local user in a Restricted Group GPO ... But you can try with one GPO in the start-up login of the computer with one ... Is it possible to add a local user inside a Restricted Group? ... > Administrators group, but I have an application that can't use a Domain ... (microsoft.public.windows.group_policy) Re: Local security group ... of the local restircted user account is meaning, ... use members list to state Turkey and Domain Admins ... Administrators group containing only Turkey and Domain Admins ... I have tested using a Restricted Group definition in a GPO linked to OU ... (microsoft.public.windows.group_policy) Re: Loginscript is lacking credentials......... ... of that OU should be added to the local administrators group of the machine ... this overwrites the other members of the ... When I try the "Startup Script" approach, using exactly the code that you ... The GPO runs fine but there has been no changes to ... (microsoft.public.windows.server.active_directory)