GPO - adding Domain Users to local Power Users group

[JohnB]

I cannot find how to do this anywhere.

I go to Computer Settings->Security Settings -> Restricted Groups

I choose Add Group -- which group gets entered there? Domain Users?

Then I right-click on the newly created Restricted Group. I have 2 more
options: Members of this Group and This Group is a Member of. I do not see
where I can choose Power Users in any of those options. How is that done?

Can someone please reveal this well kept secret?
Thanks

 

[ptwilliams]

It's not so much a secret, rather a poor, confusing GUI.

You'll need to add the Power Users group without searching for it -just by
typing it in. And yes, you add whatever group and/ or user(s) you want to
add to the local power users group.

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


I cannot find how to do this anywhere.

I go to Computer Settings->Security Settings -> Restricted Groups

I choose Add Group -- which group gets entered there? Domain Users?

Then I right-click on the newly created Restricted Group. I have 2 more
options: Members of this Group and This Group is a Member of. I do not see
where I can choose Power Users in any of those options. How is that done?

Can someone please reveal this well kept secret?
Thanks

 

[Cary Shultz [A.D. MVP]]

It is actually quite easy if you read the following MSKB Article:

http://support.microsoft.com/?id=320065

However, if you do not have this KB Article it is a tough nut to crack. And
the important thing to remember is that you do the first part on a DC ( not
sure why that is necessary ) and the second part from a WIN2000 system
running the ADMINPAK.

Also, be aware that by default adding a group to the local xxxxx group will
flush out the membership of that local xxxxx group. There is a fix to that
as well. Please see the following MSKB Article:

http://support.microsoft.com/?id=810076

This requires a phone call to MS-PSS and you need to know that if you have
both WIN2000 and WINXP systems then you will need the fix for the WIN2000
systems and the fix for the WINXP systems ( two separate fixes ). The call
will not cost you anything.

So, say that you want to add your 'Help Desk' group to each of the systems
local Administrators group. Not a problem! Use the MSKB article that I
posted and in a few moments you are done. Now, three days later one of the
Domain Admins is trying to log on to a system and install some software (
she just happened to be walking by and Mary, her buddy from high school,
asked her if she would.... ). So, Juanita logs on - using her account (
which is a member of the Domain Admins group! I know, not supposed to do
that but it happens in the real world all the freeking time! ) and is unable
to install the software! Why? Because when you applied the Restricted
Group GPO and added the 'Help Desk' group to the local Administrators group
you flushed out all of the current members - including the Domain Admins.
So, if you do this - without applying the appropriate patch to each and
every system - then you would need to remember to add the Group of your
choice ( 'Help Desk' in this example ) -AND- the Domain Admins. The other
choice is to apply the appropriate patch to each system and then use the
Restricted Group GPO. With the patch installed the RG GPO no longer flushes
the current membership and replaces it with the designated group(s) but
simply adds the designated group.

HTH,

Cary

 

[JohnB]

Excellent! thanks for your help

It is actually quite easy if you read the following MSKB Article:

http://support.microsoft.com/?id=320065

However, if you do not have this KB Article it is a tough nut to crack.
And
the important thing to remember is that you do the first part on a DC (
not
sure why that is necessary ) and the second part from a WIN2000 system
running the ADMINPAK.

Also, be aware that by default adding a group to the local xxxxx group
will
flush out the membership of that local xxxxx group. There is a fix to
that
as well. Please see the following MSKB Article:

http://support.microsoft.com/?id=810076

This requires a phone call to MS-PSS and you need to know that if you have
both WIN2000 and WINXP systems then you will need the fix for the WIN2000
systems and the fix for the WINXP systems ( two separate fixes ). The
call
will not cost you anything.

So, say that you want to add your 'Help Desk' group to each of the systems
local Administrators group. Not a problem! Use the MSKB article that I
posted and in a few moments you are done. Now, three days later one of
the
Domain Admins is trying to log on to a system and install some software (
she just happened to be walking by and Mary, her buddy from high school,
asked her if she would.... ). So, Juanita logs on - using her account (
which is a member of the Domain Admins group! I know, not supposed to do
that but it happens in the real world all the freeking time! ) and is
unable
to install the software! Why? Because when you applied the Restricted
Group GPO and added the 'Help Desk' group to the local Administrators
group
you flushed out all of the current members - including the Domain Admins.
So, if you do this - without applying the appropriate patch to each and
every system - then you would need to remember to add the Group of your
choice ( 'Help Desk' in this example ) -AND- the Domain Admins. The other
choice is to apply the appropriate patch to each system and then use the
Restricted Group GPO. With the patch installed the RG GPO no longer
flushes
the current membership and replaces it with the designated group(s) but
simply adds the designated group.

HTH,

Cary