Re: Local admin group

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/26/04

Next message: Jos Branders: "Lockout Resetter: quickly reset a locked out account."
Previous message: Roger Abell: "Re: Security Issues with NT4 being no longer supported."
In reply to: Todd J Heron: "Re: Local admin group"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 26 Nov 2004 08:57:18 -0700

Also, if you implement this using Restricted Groups,
make sure that you
1. do it in GPOs that are not linked to the Domain
    or to the Domain Controllers OU so that only
    machine local Administrators groups (i.e. not the
    domain's Administrators group) are affected
2. you are aware that you are defining the precise
   membership of the Administrators group. As such
   it is convenient to combine this with use of the policy
   to rename the built-in Administrator account so that
   when you include this you are sure that it is as the
   account is named on every machine.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
news:e3zpye70EHA.3504@TK2MSFTNGP12.phx.gbl...
> Use the Restricted Groups Group Policy feature.
>
> How to Configure a Global Group to Be a Member of the Administrators Group
> on all Workstations:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
>
> More on the use of Restricted Groups:
>
http://groups.google.com/groups?selm=uM5aZa1YDHA.440%40tk2msftngp13.phx.gbl
>
> Alternative solutions:
> For a VBScript solution:
>
http://groups.google.com/groups?as_q=add%20administrators%20winnt%20group%20GetObject&as_uauthors=torgeir%20&as_scoring=d&lr=&hl=en
>
> For a CMD-line script solution:
> net.exe localgroup administrators "YourDomainName\LocalAdministrators"
/add
>
> -- 
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
>
>

Next message: Jos Branders: "Lockout Resetter: quickly reset a locked out account."
Previous message: Roger Abell: "Re: Security Issues with NT4 being no longer supported."
In reply to: Todd J Heron: "Re: Local admin group"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Local admin group
... Also, if you implement this using Restricted Groups, ... membership of the Administrators group. ... Microsoft MVP (Windows Security) ... MCSE MCDBA ...
(microsoft.public.windows.server.general)
Re: Local admin group
... Also, if you implement this using Restricted Groups, ... membership of the Administrators group. ... Microsoft MVP (Windows Security) ... MCSE MCDBA ...
(microsoft.public.windows.server.setup)
Re: restricted groups for local admin rights
... I'm referring to local administrators and not domain administrators?) ... > describe you want to use the "member of" option for restricted groups. ... > way you can add a global group to the administrators group without affecting ...
(microsoft.public.windows.group_policy)
RE: Removing local users from local administrator group
... Create an OU including all user accounts you want to move from local ... administrators group. ... Apply Restricted Groups group policy to this OU. ...
(microsoft.public.win2000.group_policy)
Re: Dmin group member ship keeps disappearing.
... You either have Restricted Groups enabled in the domain or are using a Group ... Policy shutdown script to manage membership of the administrators group. ... > couple of computers and adding admins to the local admin account. ... > fine for the local user I added ...
(microsoft.public.windowsxp.security_admin)