- 312.731.3132
-Original Message-
From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Thursday, January 21, 2010 9:17 AM
To: NT System Admin Issues
Subject: RE: GPO Best Practices
I'm looking for a best practices kind of thing here... When admins want to
force other groups or accounts
:09 PM
To: NT System Admin Issues
Subject: Re: GPO Best Practices
NP
On Wed, Jan 20, 2010 at 12:27, Jon Harris jk.har...@gmail.com wrote:
My bad you are correct I forgot to say that was true and this is how it is
done. Sorry.
Jon
On Wed, Jan 20, 2010 at 1:45 PM, Kurt Buff kurt.b
To: NT System Admin Issues
Subject: RE: GPO Best Practices
I'm looking for a best practices kind of thing here... When admins want to
force other groups or accounts to workstations outside of domain admins, and
not allowing the local admin to modify the list.. Do they create a seperate GPO
Actually that feature was updated in 2kSp4 so you could even do it on a
W2K domain
-Original Message-
From: asbz...@gmail.com [mailto:asbz...@gmail.com]
Sent: Wednesday, January 20, 2010 10:59 AM
To: NT System Admin Issues
Subject: Re: GPO Best Practices
You can do it in 2003
You can do what you are talking about with Restricted Groups. This should
get you what you need:
http://www.frickelsoft.net/blog/?p=13
- Andy O.
From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Wednesday, January 20, 2010 9:00 AM
To: NT System
Yes, that is how restricted groups work, it over writes whatever is existing on
the current machine. The best way to do it, then your GPO is the definitive
authority on who is a local admin. So yes, servers should be in separate OU's
so they can have their own GPO's on this issue and all the
Servers and workstations should be in different OU's for a variety of
reasons, GPO is one of the best reasons.
We used to use restrictive groups for the local Administrators group, but
yes this does delete all contents and replace with the contents of the GPO.
If you have Server 2003 Domain
GPP?
John Bowles
From: Stephen Wimberly [swimbe...@gmail.com]
Sent: Wednesday, January 20, 2010 10:14 AM
To: NT System Admin Issues
Subject: Re: GPO Best Practices
Servers and workstations should be in different OU's for a variety of
reasons, GPO is one
You should structure your OUs to support (a) delegation of administration (if
required) and (b) support efficient linking of GPOs.
Just about every place that I've been has had servers (e.g. broken down by
functionality) and workstations (usually then subdivided into desktops and
laptops) in
Group Policy Preferences.
Painstakingly sent from my iPhone.
On Jan 20, 2010, at 10:16 AM, John Bowles john.bow...@wlkmmas.org
wrote:
GPP?
John Bowles
From: Stephen Wimberly [swimbe...@gmail.com]
Sent: Wednesday, January 20, 2010 10:14 AM
To: NT System Admin Issues
Subject: Re: GPO
, 2010 10:06 AM
To: NT System Admin Issues
Subject: RE: GPO Best Practices
Yes, that is how restricted groups work, it over writes whatever is
existing on the current machine. The best way to do it, then your GPO is
the definitive authority on who is a local admin. So yes, servers should
OU structure aside (separating them is good practice for all of the reasons
stated) - your first thought to use Restricted Groups was definitely a way
to accomplish the task - that's exactly what we do here.
Just use the This group is a member of: box with Administrators added to
it and leave the
Aren't the Domain Admins automatically added to the local Administrators when
the computer is joined to the domain ?
CFee
From: John Bowles [mailto:john.bow...@wlkmmas.org]
Sent: Wednesday, January 20, 2010 10:00 AM
To: NT System Admin Issues
Subject: GPO Best Practices
I have a customer who is
Thanks to everyone for their ideas. This was very helpful!
John Bowles
From: Andy Ognenoff [andyognen...@gmail.com]
Sent: Wednesday, January 20, 2010 10:30 AM
To: NT System Admin Issues
Subject: RE: GPO Best Practices
OU structure aside (separating
Admin Issues
Subject: RE: GPO Best Practices
Thanks to everyone for their ideas. This was very helpful!
John Bowles
From: Andy Ognenoff [andyognen...@gmail.com]
Sent: Wednesday, January 20, 2010 10:30 AM
To: NT System Admin Issues
Subject: RE: GPO Best
To my certain knowledge, yes. This leads me to wonder why this is an issue.
I can only think of one reason: Non-DAs are also admins or power
users, and they want to ensure that the non-DAs can't kick the DAs off
the workstations.
Kurt
On Wed, Jan 20, 2010 at 07:40, Carol Fee c...@massbar.org
I believe DA's are added to the Administrators group but are not local
Administrators. From my experience local administrators can trump DA's and
where possible it is best to remove local administrators from the
Administrators group to prevent this. The other tactic to take would be to
disable
I think you're kinda saying the same thing I am.
DAs are added to any non-DC's local Administrators group when added to
the domain, unless things have changed since Win2k3 R2 SP2+ and XP
SP3+. They are, by default, admins on any machine joined to the
domain, though the local Administrator can
2010 11:48:56
To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com
Subject: RE: GPO Best Practices
Group Policy preferences in AD 2008 actually allows you to
add/remove/update groups without deleting all previous group members,
unlike group policy in 2003.
-Original Message
My bad you are correct I forgot to say that was true and this is how it is
done. Sorry.
Jon
On Wed, Jan 20, 2010 at 1:45 PM, Kurt Buff kurt.b...@gmail.com wrote:
I think you're kinda saying the same thing I am.
DAs are added to any non-DC's local Administrators group when added to
the
NP
On Wed, Jan 20, 2010 at 12:27, Jon Harris jk.har...@gmail.com wrote:
My bad you are correct I forgot to say that was true and this is how it is
done. Sorry.
Jon
On Wed, Jan 20, 2010 at 1:45 PM, Kurt Buff kurt.b...@gmail.com wrote:
I think you're kinda saying the same thing I am.
DAs
21 matches
Mail list logo
