RE: [ActiveDir] GPO Restricted Groups gotchas ?

Sat, 24 Sep 2005 15:52:53 -0700 

That's not the same net effect. Those settings are only applied at restart as 
opposed to being applied every 90 minutes (or whatever your refresh interval 
is). Its quite possible to remove the perms granted by that script and run like 
that for months. 


--------
Roger Seielstad
E-mail Geek
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Saturday, September 24, 2005 2:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?

I agree it would be better to give that option of append alongwith override.I 
assume, they didn't implement, because it is very easy to get thedesired result 
thru other means like this batch file, which can  runas computer startup 
script, for intended machines. This works likeappend operation.
:: Add support admin to administrators groupnet localgroup administrators  
domain\supportadmin /add

On 9/25/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:>> Actually, the ideal 
would be the option to append or override.>> Sometimes you don't care if 
other's are in a specific group, as long as a> specific set of accounts/groups 
are in that group. Case in point is IT shops> where the user is 
granted/required to have local admin. Ideally, you'd set> that user, plus your 
IT support staff, as local admin. Without having the> option to append, all you 
can do is override, which means that one user is> then oout.>>> --------> Roger 
Seielstad> E-mail Geek>>>  ________________________________>  From: [EMAIL 
PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> Kamlesh Parmar> Sent: 
Friday, September 23, 2005 2:42 AM> To: ActiveDir@mail.activedir.org> Subject: 
Re: [ActiveDir] GPO Restricted Groups gotchas ?>>>> But then it defeats the 
purpose of restricted group, as you want to be sure> that, only known members 
are part of the restricted group. If the operation> is merge than it is not 
restricted by definition?> When u ask for merge or append, you are doing some 
group membership> modification. You better use some scripts for that.>> I would 
suggest create a separate group of those app servers, and apply> group policy 
with restricted group populated as you want.> Make sure Group Policy is applies 
to that Group of appservers only. it is> must that you Remove "Authenticated 
Users" group from group policy security.>>> On 9/23/05, Mark Parris <[EMAIL 
PROTECTED]> wrote:> >> >> >> > The biggest gottcha, is that any existing group 
memberships for groups> managed by the restricted group policy are overridden 
by the restricted> group policy – this is my biggest gripe, I wish they would 
merge\append.> >> >> >> > Mark> >> >> >> > ________________________________>> 
>> > From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> [EMAIL 
PROTECTED]> > Sent: 23 September 2005 06:36> > To: 
ActiveDir@mail.activedir.org> > Subject: [ActiveDir] GPO Restricted Groups 
gotchas ?> >> >> >> >> >> > I would like to use restricted groups policies to 
specifiy local> Administrative access to application servers. I am sure this 
has already> been tried. I would like to know how this worked or did not work 
for those> who have tried it  and where there any unexpected gotchas that 
happened ?> >> > Thank You ! And have a nice day !> >> >> 
**************************************************************> > Mark 
Lunsford> > KAISER PERMANENTE>>>> --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~> "Fortune and 
Love befriend the bold"> ~~~~~~~~~~~~~~~~~~~~~~~~~~~>

--~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the 
bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~.+-Šwèþm§ÿÿÃ
ÿiËb½çb¯ú+ƒòâ²ßÚ²œKŠËEá¶Úÿÿü0Ãöœ¶+Þv*ÿ¢¸?.+-ÿjÊq.+-j·!Š÷ÿ†ÛiÿÿðÃæj)ÿj·!Š÷ÿr‰¿iËb½çb¯þ4™¨¥ý§-Š÷Š¿è

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to