Controlling Member of Local Admin Group per Policy

[Guest]

I would like to control the members of the local admin group of my desktops per policy
That is no real problem, except that one of the groups to be added contains the computer nam

So I would like the following groups to be a membe
Domain\Domain Admin
Domain\Desktop Manager
Domain\%ComputerName%-Admin

The first two are easy, but the last one is not
I now I can set them with the net localgroup (and we do during installation), but I want to enforce this
So the real question is "How to use enverionment variables in group names in a policy ?

Can anybody help here ?

 

[Vsevolod Titov [MSFT]]

I don't think restricted groups policy can expand environment variables. You
can consider using startup script with a command:
net localgroup administrators domain\%computername%-admins /add

 

[Guest]

Net Localgroup won't do the trick.
Half the users is not a local admin and can not run that.
The other half is, but might have added some extra groups/users we want to get rid of.

 

[Vsevolod Titov [MSFT]]

Startup script is lunched with permissions of local system, so it can do
anything, including changes to the local machine groups.

 

[Buz [MSFT]]

Use restricted groups then:

228496 HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/?id=228496

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.