advise needed

Dany · Jan 11, 2005

Hi,

i'm new to gpo and I need someone to validate my understanding of
filtering.

I want some users be admin of any computers in my network.

I create a security group called "ComputersAdmin" and add some users
into that group. This group can located anywhere in my organisation.

Then I create a GPO called "computeradminGPO" and link it to my
domain.

I modify the gpo and add the "ComputersAdmin" group to be member of
the local administrator group.

After that, I go into the properties/security of my GPO and remove
"Authenticated Users" group. I add "ComputersAdmin" group and grant
the following rights: READ - Apply/Allow Group Policy.

That's it.

Is there something I've missed? Anything that I should be aware?

Thanks in advance and excuse my poor English. It's not my native
language.

Lenny

Mark Renoden [MSFT] · Jan 11, 2005

Hi Lenny

What are you trying to achieve by implementing these steps?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Cary Shultz [A.D. MVP] · Jan 12, 2005

Dany or Lenny,

It sounds like you want to use the Restricted Groups GPO to make a certain
security group a member of the affected computer's Local Administrators
group.

For example, you would create a security group, make the desired user
account objects a member of that specific group and then have that specific
group become a member of the computers Local Administrators group.

If this is indeed what you want then please take a look at the following two
MSKB Articles:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

It is very important that you follow 320065 and notice the IMPORTANT!!!!!!
heading after point three. You might want to get in the habit of doing all
of this from a workstation. You can install the Adminpak on the workstation
of your choice.

Also notice that I have included 810076. This requires that you call
MS-PSS to get the fixes. Yes, there are two: one for WIN2000 and one for
WINXP. You would need to install the appropriate patch on all of your
computers ( Domain Controllers, Member Servers, Workstations ) and then set
up the GPO.

I do not have my two web sites completed yet but you might want to take a
spin to both every now and again. The Group Policy site is not yet started,
but will be soon. The Active Directory site is being built as we speak. It
will just take a little bit of time...

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

advise needed

Dany

Mark Renoden [MSFT]

Cary Shultz [A.D. MVP]