Removal of Restricted Groups Policy

[Neil Bowen]

We have a Windows 2000 system with about 1000 users all running XP
which was set up to support "Hot Desking" as suggested by Management -
but user resistance has finally led to the official abandonment of the
policy. The Domain Local Admins group is made a member of the Local
Admins group on all PCs using Group Policy. Because we have a large
number of badly written apps we have a Domain Local Admins group
containing over 400 of these users and we really now want to limit the
users to Local Admins group on their own PCs only and limit the Domain
Local admins to the HelpDesk.

What I need is some pointers as to the best way to go about this as
the Group Policy setting will just clean out the user if we add a bit
on to the Login Script to put them into the Local Admins. If we remove
the Restricted Group settings first then I not quite sure what will
happen to the Local Admins Group but I suspect it will only contain
the local Administrator.

Any thoughts on the best way to go about this?

Neil

 

[Brian Desmond [MVP]]

Neil-

If you turn off restricted groups, the groups will simply be left as they
were set by the restricted groups settings. There won't be any rollback.

As far as making the user's admins only on their workstations, you'll need
to apply some sort of asset tracking in cooperation with a startup script
which figures out what user is assigned to the machine and grants them the
group membership.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[Bruce Sanderson]

Many "bad" applications merely need some permissions adjusted to work for
Users (not administrators). You might want to see if applying the
"compatws" security template helps with your "badly written apps".

Start, Run, mmc /a
File, Add/Remove Snap-in
Click Add
Select Security Configuration and Analysis; click Add, click Close, click OK
right click Security Configuration and Analysis, select Open Database
key a name and select where you want it stored (typically, I find I just
want to discard it later anyway, so I put it in a temporary file folder)
select compatws.inf; click Open
follow the instructions in the right pane

Our experience is that for Windows XP workstations, this is a viable way to
get around having to run most applications as Administrator. Applying the
compatws security template selectively "weakens" security (adjusts
permissions) to accomodate "legacy" or "badly written" applications (e.g.
those that insist on storing data in the Program Files folder).