Retaining local administrator groups when using restricted groups.

S

Shayne D. Swann

This kinda defeats the purpose of restricted groups but my company is
currently redesigning their group policy infrastructure and have decided to
used restricted groups.

Currently their are quite a few users who are members of the local
administrators group of their assigned workstation because of business
requirements.

Goal:
To implement the use of restricted groups while allowing the current local
administrators of a system to remain local administrators.

We have thought of a few work arounds but here are some of the problems we
are facing:
1. Gather all of the members that will need local administrator rights on
their workstations to a domain local group and adding that group to the
restricted group we place on the workstations.

The problem with this is we dont want to grant all users in this group local
admin rights to all of the computers.

2. Use computer login scripts to add the specfied domain groups to the local
administrators group with out using restricted groups.

The problem with this is their is no group policy refresh, and these groups
(if a local administrator removes them) will only apply at computer logon.

Is their any known "happy medium" for meeting this requirement?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top