Re: OU delegation

---

• From: "tin" <mastertin@xxxxxxxxxxxxxxxx>
• Date: Fri, 27 Jul 2007 12:08:41 -0700

---

I came across this one policy but wasn't sure what it for.

Thank you so much for all you guys help!

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OYDjfiB0HHA.4476@xxxxxxxxxxxxxxxxxxxxxxx

<jwgoerlich@xxxxxxxxx> wrote in message
news:1185494563.324121.81530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Interesting. I have always simply added the groups to the computers'
local Adminstrators group. The same thing could be done by adding
Administrators to the "Restricted Groups" setting and specifying the
delegated group.

This setting is under:

Computer Configuration
Windows Settings > Security Settings > Restricted Groups

Just to be clear, the way one would do this, add a domain group
named for example OuControllers to the Administrators group
on all machines in the OU, is to add a Restricted Group definition
in a GPO linked to that OU. The Restricted Group definition would
be for the group OuControllers, one would leave the Members list
empty (not set) and would type in Administrators as the one entry
in the Member-Of list.

Roger

On Jul 26, 12:08 pm, "tin" <master...@xxxxxxxxxxxxxxxx> wrote:

Hello, I've delegated full controll to a security group to an OU, but
that
group still not able to manage computers remotely. For instance, they
cannot
perform administrative tasks on computers in that are in this OU. I know
I
can run a script to add this security group to all the active computers
in
that OU but I just wanted to know if there's another way to do this? I
dont
think you can automate this through GPO though, but I could be wrong.

Thanks,
TC

.

---

• References:
  • OU delegation
    • From: tin
  • Re: OU delegation
    • From: jwgoerlich
  • Re: OU delegation
    • From: Roger Abell [MVP]

• Prev by Date: Re: Security
• Next by Date: Re: How to force User log off when time expires?
• Previous by thread: Re: OU delegation
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Default Security Groups ... Domain Admins group will be added to local administrators group by default. ... Start Active Directory Users and Computers from any domain controller. ... Click the Group Policy tab, click NEW, and then name the policy. ... policy and you see the Administrators group listed in the Restricted Groups ... (microsoft.public.windows.server.migration) Re: Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4) ... into the local administrators group on the workstation. ... restricted groups you can then modify the group membership to get users into ... Create the gpo in the ou where the Computers reside, ... we removed the right to add workstation to Windows 2000 ... (microsoft.public.win2000.active_directory) Re: Want to add users to their local Admin group ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ... (microsoft.public.windows.server.active_directory) Re: Using the right GPO, or Group for granting limited elevated admin privs ... Delegation let's You delegate some administrative tasks in AD to the ... Restricted groups is GPO settings which lets You specif the members of ... choosen group - for example local administrators group n some workstations. ... (microsoft.public.win2000.active_directory) Re: local security group into local Administrator group ... group if all of those in scope machines are to have ... > Administrators group that machine local groups are not ... Security) ... >>> Would like to use Restricted Groups to standardize the ... (microsoft.public.windows.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)