That's not the same net effect. Those settings are only applied at restart as opposed to being applied every 90 minutes (or whatever your refresh interval is). Its quite possible to remove the perms granted by that script and run like that for months.
-------- Roger Seielstad E-mail Geek -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Saturday, September 24, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ? I agree it would be better to give that option of append alongwith override.I assume, they didn't implement, because it is very easy to get thedesired result thru other means like this batch file, which can runas computer startup script, for intended machines. This works likeappend operation. :: Add support admin to administrators groupnet localgroup administrators domain\supportadmin /add On 9/25/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:>> Actually, the ideal would be the option to append or override.>> Sometimes you don't care if other's are in a specific group, as long as a> specific set of accounts/groups are in that group. Case in point is IT shops> where the user is granted/required to have local admin. Ideally, you'd set> that user, plus your IT support staff, as local admin. Without having the> option to append, all you can do is override, which means that one user is> then oout.>>> --------> Roger Seielstad> E-mail Geek>>> ________________________________> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> Kamlesh Parmar> Sent: Friday, September 23, 2005 2:42 AM> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?>>>> But then it defeats the purpose of restricted group, as you want to be sure> that, only known members are part of the restricted group. If the operation> is merge than it is not restricted by definition?> When u ask for merge or append, you are doing some group membership> modification. You better use some scripts for that.>> I would suggest create a separate group of those app servers, and apply> group policy with restricted group populated as you want.> Make sure Group Policy is applies to that Group of appservers only. it is> must that you Remove "Authenticated Users" group from group policy security.>>> On 9/23/05, Mark Parris <[EMAIL PROTECTED]> wrote:> >> >> >> > The biggest gottcha, is that any existing group memberships for groups> managed by the restricted group policy are overridden by the restricted> group policy – this is my biggest gripe, I wish they would merge\append.> >> >> >> > Mark> >> >> >> > ________________________________>> >> > From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of> [EMAIL PROTECTED]> > Sent: 23 September 2005 06:36> > To: ActiveDir@mail.activedir.org> > Subject: [ActiveDir] GPO Restricted Groups gotchas ?> >> >> >> >> >> > I would like to use restricted groups policies to specifiy local> Administrative access to application servers. I am sure this has already> been tried. I would like to know how this worked or did not work for those> who have tried it and where there any unexpected gotchas that happened ?> >> > Thank You ! And have a nice day !> >> >> **************************************************************> > Mark Lunsford> > KAISER PERMANENTE>>>> --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~> "Fortune and Love befriend the bold"> ~~~~~~~~~~~~~~~~~~~~~~~~~~~> --~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~.+-Šwèþm§ÿÿà ÿiËb½çb¯ú+ƒòâ²ßÚ²œKŠËEá¶Úÿÿü0Ãöœ¶+Þv*ÿ¢¸?.+-ÿjÊq.+-j·!Š÷ÿ†ÛiÿÿðÃæj)ÿj·!Š÷ÿr‰¿iËb½çb¯þ4™¨¥ý§-Š÷Š¿è List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/