There is a danger to using restricted groups. It will replace the contents of the group with whatever you specify in the GPO. The only excpetion is the default local admin account. If you have a lot of users in the local admin, they will be removed when this gets applied. If you add a user to the local admin group, they will be removed based on your policy refresh cycle.
Dave ------------------------------------------------ David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597 DSN: 276-4597 ------------------------------------------------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 13, 2004 06:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator 1. Use restricted groups. 2. Use startup scripts. Simply add some other group from the domain to the local administrators group of the machines. 3. Use a script or batch file that goes through all machines and adds the user. One thousand machines isn't many, but it is well beyond the number that you should already be pretty familiar with scripting. If you aren't, make that a high priority. At this point you should be doing most daily admin through scripts and command line tools, not GUI. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, December 13, 2004 5:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/