It would work if your DAs are well behaved (or should I say
threatened with effects flowing from misbehavior).
If you used a restricted group definition in a GPO on which
only the EAs had a grant to modify the GPO settings, then the
DAs would have to go out of their way to either override that
GPO with a higher priority GPO or alter the permissions on
that GPO and then alter the restricted group def in it.
whats the best way of restricting membership of the dom ads group?.
ideally i would like just the enterprise admins group to be allowed to
change membership of the DA group.
has anybdy actually done this using restricted group? and does it
work ?
Re: Help needed setting up roaming administrator ...>Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ...GPO associated with the OU that contains the computers I want to use ...restricted group and to define the groups the restricted group will ... (microsoft.public.win2000.security)
Re: Desktop Admin - HELP ...restricted group in my GPO and refreshed my policy and all should be good... ...local admin rights...... ALSO, i created a brand new GPO to use, and it had the same results... ... (microsoft.public.win2000.active_directory)
Re: restricted groups have broken Admin access....help! ...member server' bit and just added my choosen users to the 'administrator' ... Then the Domain Admin access was lost. ... I then tried deleting the GPO and redoing the restricted group as per ... I eventually gave up and deleted all traces of the groups and GPO,... (microsoft.public.win2000.group_policy)
Re: Domain Administrator have lost all rights ... I have never changed anything in the default domain GPO, the restricted group... was in a seperate GPO called 'machines' that contains all the workstations.... >>that have administrator Full control permissions,... (microsoft.public.win2000.active_directory)
Re: Adding domain users as local XP administrators... ... create the new GPO and set my policy?... >> create a restricted group policy in the domain policy that will ... >> domain has full rights to the local machine.... (microsoft.public.windowsxp.security_admin)
