I'd just use a Group Policy and Restricted Groups. If you need more flexibility the groups options in Group Policy Preferences may work. I usually stay away from modifying the two default policies but there's no technical reason you can't.
Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -----Original Message----- From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Thursday, January 21, 2010 9:17 AM To: NT System Admin Issues Subject: RE: GPO Best Practices I'm looking for a best practices kind of thing here... When admins want to force other groups or accounts to workstations outside of domain admins, and not allowing the local admin to modify the list.. Do they create a seperate GPO for this function? Or do they modify the default GPO for this task? I know it's not best practices to modify the default, but I think having a seperate GPO for every little issue or fix would be cumbersome as well.. Thoughts? John Bowles ________________________________________ From: Kurt Buff [kurt.b...@gmail.com] Sent: Wednesday, January 20, 2010 4:09 PM To: NT System Admin Issues Subject: Re: GPO Best Practices NP On Wed, Jan 20, 2010 at 12:27, Jon Harris <jk.har...@gmail.com> wrote: > My bad you are correct I forgot to say that was true and this is how it is > done. Sorry. > > Jon > > On Wed, Jan 20, 2010 at 1:45 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> I think you're kinda saying the same thing I am. >> >> DAs are added to any non-DC's local Administrators group when added to >> the domain, unless things have changed since Win2k3 R2 SP2+ and XP >> SP3+. They are, by default, admins on any machine joined to the >> domain, though the local Administrator can kick them out. >> >> Of course, if you're worried about someone with a Nordahl bootdisk or >> something similar, that's a second or third reason to enforce it by >> GPO, I suppose, along with a standard account being in either the >> Administrator or Power Users group, or someone knowing the local >> Administrator password. >> >> Kurt >> >> On Wed, Jan 20, 2010 at 10:26, Jon Harris <jk.har...@gmail.com> wrote: >> > I believe DA's are added to the Administrators group but are not local >> > Administrators. From my experience local administrators can trump DA's >> > and >> > where possible it is best to remove local administrators from the >> > Administrators group to prevent this. The other tactic to take would be >> > to >> > disable the local administrator account. That is what I strive for but >> > it >> > is not always possible. >> > >> > Jon >> > >> > On Wed, Jan 20, 2010 at 1:15 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> >> >> To my certain knowledge, yes. This leads me to wonder why this is an >> >> issue. >> >> >> >> I can only think of one reason: Non-DAs are also admins or power >> >> users, and they want to ensure that the non-DAs can't kick the DAs off >> >> the workstations. >> >> >> >> Kurt >> >> >> >> On Wed, Jan 20, 2010 at 07:40, Carol Fee <c...@massbar.org> wrote: >> >> > Aren't the Domain Admins automatically added to the local >> >> > Administrators >> >> > when the computer is joined to the domain ? >> >> > >> >> > >> >> > >> >> > CFee ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
