OK, here's the latest: the restricted groups policy did remove the domain admin from
the local administrator account on the DC's (net localgroup administrators came back
with just local administrator (which is the domain administrator), running net
localgroup administrators "\domain admins" /ad
I believe we set up laptop hardware
profiles so the Wi-Fi is disabled when docked, I haven’t checked
thoroughly into this, but I noticed when docked it’s disabled and when at
home it is “magically” on. I don’t deal with that area,
but it should be a straight-forward thing to do. Yes wirel
I am sure I am asking the obvious here - but for the sake of clarity
Why don't you just modify the restricted group you created
(Administrators) and include all the users/groups that you want to
forcibly place in that group and let the policy replicate and then
reapply (automatically in time)?
I already tried that, the restricted group policy only strips the memberships for that
group, it does not reapply. It is an extremely dangerous policy to casually use
(especially in the default domain policy). Once domain admins is removed from the
local admin group, you are screwed beyond belie
A good tool for Admin passwords is the Locksmith one from
sysinternals.com
Gideon,
While I am sure that you are describing your experience, I am certain
that the GPO setting can be used to both add and remove users from the
group. Here is the output from the winlogon.log that shows that this
process can indeed add and remove accounts and groups.
Process GP template gpt
Huh. I hate to say, nope - that's not the way it works, but I guess what
else should one say? It apparently is working that way in your environment
for some yet unknown reason.
Review this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q228496
And this:
http://www.microsoft.com/resour
Couple of things to check. First off, make sure you don't fall under
this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810076
Next, you've already made the observation, but setting restricted groups
policy on a GPO that affects DCs (as the default domain policy will) is
bad
I happen to be one of the proponents of this method. It's inelegant, and yes,
unsafe. Unfortunately, it's the quickest, easiest, freest and
proven-to-work-est method I know of.
Now, Eric, isn't it time that we get something useful and safe from you and
the crew at MS along this line? This is not
>>>I'm somewhat surprised by your experience with Restricted Groups, as I'm
using it very effectively in our 25k seat environment.
Don't be surprised, Rick. Remember that the RG thingy was redesigned to work
"properly" not too long ago (circa 6 months or so). IIRC, the RG only works
"properly" at
Deji,
Thanks - once again the old adage comes true. You learn something new every
day ;o)
-rtk
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, September 27, 2004 7:56 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subj
11 matches
Mail list logo