RE: [ActiveDir] Add junior admin to Local workstations admin group

Sat, 16 Aug 2003 20:01:31 -0700

Title: Message
"Put down the beer Rick", come now - Rick is far too sophisticated to be drinking beer ... "Put down the Beaujolais" seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick!
 
Joe,
 
I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself.
 
Dean

--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 17, 2003 10:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group

Put down the beer Rick...
 
DC's have the local groups, especially administrators.  If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG.
 
   joe
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, August 16, 2003 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group

Deji,
 
Good example - I like it, but I'm curious on one thing.  You state that you block it at Domain Controllers.  I'm not sure why, as DCs have no local groups.
 
If you're just being specifically cautious, great.  Me, I don't see the need to block it at the DC OU as it won't affect anything.
 

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 1:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group

This is what I have in a batch file:
net localgroup administrators
if NOT %errorlevel%==0 GOTO :GERMAN
net localgroup administrators /add myDomain\specialGroup
GOTO :END
:GERMAN
net localgroup administratoren /add cmyDomain\specialGroup
:END
 
I then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers.
 
HTH
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian
Sent: Fri 8/15/2003 7:33 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Add junior admin to Local workstations admin group


I need to add two users to the local administrators group of every machine in
an OU.

I've looked at restricted groups GPO but, this doesn't really seem to do what
I want.  I don't need to restrict just add.

I am also looking at writing a script to run at boot ,but again not sure
there isn't an easier way.

Any Ideas?

Brian Narkinsky



List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

<<attachment: winmail.dat>>

Reply via email to