Local Machine Rights thru Group Policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I have a Windows 2000 Active Directory network with mostly
Windows XP Pro clients connected to it. Is there any easy
way, either thru a script or thru Group Policy, that I can
change local machine rights on all the clients? I have
quite a few machines where some users are set up as Local
Administrators and I would like to be able to change them
to Users or Power Users without having to go to each
machine individually.

Thanks.
 
You may want to look into using Restricted Groups to use at the OU level to
enforce membership of local groups on computers in that OU. That works well
if you want to have the same users/groups to be members of the local
administrators/power users groups on ALL the machines in the OU. You could
for instance restrict only a particular group to be in the local
administrators group and perhaps "domain users or a newly defined group" to
be in the power users group which would then make all the users that logon
to those OU machines power users on any machine in that OU they logon to. If
that is more than you want you may also look into using cusrmgr to script
adding users to each machine's power users group where needed and still
possibly using Restricted Groups to manage local administrator group
membership. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;810076
http://support.microsoft.com/default.aspx?scid=kb;en-us;297307 --- example
of cusrmgr
http://www.jsifaq.com/sube/tip2400/rh2445.htm
 
Thanks for the info....I will give it a shot.

-----Original Message-----
You may want to look into using Restricted Groups to use at the OU level to
enforce membership of local groups on computers in that OU. That works well
if you want to have the same users/groups to be members of the local
administrators/power users groups on ALL the machines in the OU. You could
for instance restrict only a particular group to be in the local
administrators group and perhaps "domain users or a newly defined group" to
be in the power users group which would then make all the users that logon
to those OU machines power users on any machine in that OU they logon to. If
that is more than you want you may also look into using cusrmgr to script
adding users to each machine's power users group where needed and still
possibly using Restricted Groups to manage local administrator group
membership. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;228496
us;810076
http://support.microsoft.com/default.aspx?scid=kb;en- us;297307 --- example
of cusrmgr
http://www.jsifaq.com/sube/tip2400/rh2445.htm




.
Click to expand...
 
Back
Top