Keep trying and don't give up that fight it will be worth the effort in the long run as you know.
Jon On Fri, Nov 12, 2010 at 1:54 PM, Ziots, Edward <ezi...@lifespan.org> wrote: > Thanks guys, > > > > Reviewing it now and testing out the OU to start ripping and removing the > bloat in the local admins group, even though I lost my battle with further > restrictions of those groups, and following the least privilege best > practices. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* KenM [mailto:kenmli...@gmail.com] > *Sent:* Friday, November 12, 2010 1:00 PM > *To:* NT System Admin Issues > *Subject:* Re: Questions on the Application of Restricted Groups to Local > Groups on Servers, Workstations > > > > There are a few ways you can do this. One would be in the restricted group > settings, create new group. The name would be the local group of the server > so Administartors and "Power Users". Add the local admin account and > whatever domain accounts in there. > > The other way would be to add a Domain Group in the GPO and set that as a > member of the local groups. The difference between the two is that the first > one will clear the group membership and the second one will just add to the > local group. Here are a few links. > > > > http://technet.microsoft.com/en-us/library/cc785631%28WS.10%29.aspx > > http://www.frickelsoft.net/blog/?p=13 > > > > > On Fri, Nov 12, 2010 at 12:48 PM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > For those that have worked with the Restricted Group Functionality in > Windows 2003, Windows 2008 R2. I have the following questions. > > > > I am looking to create some group polices that will affect the local > administrators, power users groups on a set of computer objects (servers) in > particular OU’s. > > > > I am looking at using Restricted Groups to allow this to happen, so my > scenario would be the following. > > > > 1) How to designate the Local administrators group of the > Server/Servers within the GUI of the group policy Object, so I can say that > Group X in Domain X should be a member of the local administrators group > enforced by this group policy which is applied to the OU in which the > computer objects apply. ( Same would go for Power Users). > > > > Any white papers, or KB articles that have been of use in your application > of this feature would be greatfully appreciated, since the management here > needs this to happen in short order. > > > > Please advise, > > EZ > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin