Restricted Groups > Local Administrators

[Rob]

For some strange reason I have been unable to use GPOs to set the membership
of the local administrators group on my PCs. I can make this work on Domain
level groups, but not the local administrators group of PCs. I've clearly
missed something here....

Any tips would be appreciated.

Rob

 

[Herb Martin]

For some strange reason I have been unable to use GPOs to set the membership
of the local administrators group on my PCs. I can make this work on Domain
level groups, but not the local administrators group of PCs. I've clearly
missed something here....

Any tips would be appreciated.

Someone finally taught me the trick to these.

Local groups don't exist on the DCs to this is the
initial problem -- you (like me) probably tend to
run AD Users/Computer and the GPO Editor from
the DCs ONLY.

Install the tools on an XP box or on a Win2000 box
(which has the built-in local groups.) This would
also work on a non-DC server.

ADMINPAK.msi in the DC System32 directory
contains the tools.

Run the tools from there and setup the Restricted
Group -- you will be able to pick the local built-in
groups.

This will work because as built-in groups their
SIDs are predictable.

It probably won't work for any custom local groups
though.

 

[Cary Shultz [A.D. MVP]]

Herb,

Glad that you remembered the trick and are passing it along.

Cary

 

[Herb Martin]

Herb,

Glad that you remembered the trick and are passing it along.

Sorry I didn't remember who told me. Thanks again.

A thought occurred to me however: I suppose this won't work
for restricting custom groups on the computers -- only for the
built-in groups.

Of course, if you go to Native(+) mode then you can build
local groups on the domain and avoid even having to create
standardized custom groups.