Group Policy

[CJ]

I have all our users on a 2003 Active Directory network and because of some
software that installs and updates automatically, like antivirus, all users
are assigned as Administrators of their machines.

However, there are some things I would like to restrict through Group
Policy.

Not being a big GPO expert, will Group Policy affect users if they are
assigned administrative rights to their machines?

What do I need to do?
Thanks,
CJ

 

[Cary Shultz [A.D. MVP]]

CJ,

I assume that the question is directed at me.

I am not a fan of putting any domain user account object in the local
Administrators group. It leads to too many problems. I like to make them
Power Users - at most. You should know that, by default, the Domain Users
account is a member of the local Users group on all WIN2000 / WINXP systems.

If you want to control who is a member of what group on the local computer
then take a look at restricted groups. I could give you two links but I am
not going to do so. Take a spin around. The discovery process is very
fruitful!!!!! Who knows what you might find along the way...

Just know that the default behavior of the restricted group GPO is to flush
the content of the 'group in focus' and then add the group that you specify.
From that point forward no one will be able to add any other group or user
account object to that 'group in focus'.

I would suggest that you rethink your deployment. It should not be
necessary for your users to be installing software - generally speaking. If
they are members of the local Administrators group then they can do anything
on that system. Not what I typically want!

I might suggest that you take a spin over to the Group Policy news group.
Do a search for my name. There are several posts in there that explain the
very basics of Group Policy!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com