Restricted Groups > Local Administrators

  • Thread starter Thread starter Rob
  • Start date Start date
R

Rob

For some strange reason I have been unable to use GPOs to set the membership
of the local administrators group on my PCs. I can make this work on Domain
level groups, but not the local administrators group of PCs. I've clearly
missed something here....

Any tips would be appreciated.

Rob
 
Rob said:
For some strange reason I have been unable to use GPOs to set the membership
of the local administrators group on my PCs. I can make this work on Domain
level groups, but not the local administrators group of PCs. I've clearly
missed something here....

Any tips would be appreciated.
Click to expand...

Someone finally taught me the trick to these.

Local groups don't exist on the DCs to this is the
initial problem -- you (like me) probably tend to
run AD Users/Computer and the GPO Editor from
the DCs ONLY.

Install the tools on an XP box or on a Win2000 box
(which has the built-in local groups.) This would
also work on a non-DC server.

ADMINPAK.msi in the DC System32 directory
contains the tools.

Run the tools from there and setup the Restricted
Group -- you will be able to pick the local built-in
groups.

This will work because as built-in groups their
SIDs are predictable.

It probably won't work for any custom local groups
though.
 
Herb,

Glad that you remembered the trick and are passing it along.

Cary
 
Cary Shultz said:
Herb,

Glad that you remembered the trick and are passing it along.
Click to expand...

Sorry I didn't remember who told me. Thanks again.

A thought occurred to me however: I suppose this won't work
for restricting custom groups on the computers -- only for the
built-in groups.

Of course, if you go to Native(+) mode then you can build
local groups on the domain and avoid even having to create
standardized custom groups.
 
Back
Top