I'd hate to have admins explicitly added, I do everything via GPO. Any machines that need *particular* local admins have different OUs.
You could run a script afterwards to add your *extra* admins if you know what they are and where they belong, if you don't do it all via AD. You could even add all necessary groups to your Restricted Group GPO and then disable the GPO and remove the extra groups where they aren't needed. 2008/12/3 Liu, David (G2DD) <[EMAIL PROTECTED]> > Probably but that wd effectively wipe out any local admins that were > explicitly added , eg execs > David Liu > Answering from my blackberry. I'm on the move > > > -----Original Message----- > From: James Rankin <[EMAIL PROTECTED]> > To: NT System Admin Issues <ntsysadmin@lyris.sunbelt-software.com> > Sent: Wed Dec 03 03:27:51 2008 > Subject: Re: removal of security GUID from deleted accounts > > If you use a Restricted Groups GPO, does this remove the SID? It certainly > will remove all groups that it thinks shouldn't be there... > > > 2008/12/3 Liu, David (G2DD) <[EMAIL PROTECTED]> > > > We had to delete/recreate the security group in AD 2003 environment > which is used to populate local administrator membership on PC > workstations. However, as a result of the deletion the security > group > now shows up with the deleted Security ID instead of a recognizable > name. > > We tried to set the startup script to delete the old name, e.g. net > localgroup /delete but it doesn't work because only the phantom SID > exists. Inputing the string of SID in script doesn't work either. > > Any idea on how to remove this SID via script? > > TIA! > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
