Tony,
Take a look at the Restricted Groups GPO. There is a fix to modify the way
that the GPO is processed. They way that it happens out-of-the-box is that
the GPO will flush all current users / groups out of the local
Administrators group and then populates it with the group of your choice.
This would be a potentially bad thing as the Domain Admins group is a member
of the local Administrators group...
So, you can either add two groups ( the group of your choice -AND- the
Domain Admins group ) or you can apply the patch.
Here are the two MSKB Articles that will help you:
http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076
You will need to contact the MS-PSS group to get the patch mentioned in
810076. You will not be charged so long as you mentioned the MSKB Article
Number. Also, there are two versions of the patch: one for XP and one for
2000. Depending on your environment make sure that you apply the right
patch to the right OS. You would need to apply the patch to all of your
systems before you make use of the Restricted Groups GPO.
Also, notice that you need to do most of this from a WIN2000 Pro system (
or, now from a WIN XP Pro ). It clearly states this in the MSKB Article but
a lot of people do not notice this hint. You will have problems doing this
if you try while on the DC....
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com