We do have some permanent admin groups that our techs don't have access to add people to. This problem is really a political one as most people follow the rules but a few have been told numerous times but we still find leftover admins.
That software sounds interesting and I will pass the info on to our software guy, but I'm not sure if it would work for this scenario. We package and deploy via GPO (soon to be SCCM, in deployment) most of our stuff, but there are a lot of little apps that are still manually installed. Good examples would be software needed to work with a particular smart phone-not sure this would work for those one-offs. From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Friday, November 05, 2010 12:35 PM To: NT System Admin Issues Subject: RE: Script to remove all users from a group ....another option. Make your temp admin's permanent and have your techs reset the password shortly after they give it to someone to install software. As for elevated rights to install...we put the install packages that require that on a webpage. The shortcut on the web page runs it elevated for the user, so we just direct them to the webpage. We use a program called Encrypted RunAs to make the shortcuts. It is around 400 bucks for a domain wide license. From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Friday, November 05, 2010 3:30 PM To: NT System Admin Issues Subject: RE: Script to remove all users from a group Ah, okay, so let me clarify. With our XP workstations, we're already using restricted groups in group policy to append groups to our workstations, but it doesn't prevent people who already have access from adding additional local administrators, or adding users to other groups. As we roll out Win7, we're now implementing a restricted groups policy that will replace instead, to lock things down more. Using a WMI filter on the policies to select XP vs non-XP machines-that is working great. But, we always have those one-off scenarios where someone needs to be a local admin just long enough to get a piece of software installed, then you can drop the permissions. It's possible that run-as may work for some (not sure on this yet-might not add to the correct registry areas), but we have some really ancient software around that may not play well at all. I'm not the software packager/deployer, so that will be sorted out by others. My plan is to have a "temporary local admins" group in AD that is also already added via restricted groups. Techs will have access to add users to this group, but we want an automated process to dump the group membership every day, say 2am, so people don't get left there. -Bonnie From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, November 05, 2010 11:44 AM To: NT System Admin Issues Subject: Re: Script to remove all users from a group You can do this more easily via Group Policy... What specific group are you thinking of doing this with? ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... On Fri, Nov 5, 2010 at 2:33 PM, Miller Bonnie L. <mille...@mukilteo.wednet.edu<mailto:mille...@mukilteo.wednet.edu>> wrote: I need something that will take a specific domain global group (domain\groupname) and remove all members from that group. I'd like to schedule the task with Windows (2008 R2) Task Scheduler to run at a certain time every day. I'm thinking something that will run via cmd, PS, or even cscript, but I know very little about the second two-anything quick and easy out there to get the job done? -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin