Restricted Groups...with exceptions

[Guest]

Hello all, successfully using the group policy restricted groups to allow the
necessary users local admin access globally--it works great, until a new
policy was established. New policy states that some of my users are to be
granted full local administrator rights to their own PCs.

So, now my requirement is certain users need local admin access to all PCs
while some users need admin access to their own PCs

It would not be desirable to add these users to a global local admins group
I would prefer to not create another OU ( i would have to do this at
multiple sites and then I assume i'd need to manually add my global groups)
where the restricted groups policy is not run...

any thoughts or suggestions on how to accomplish this?

thanks much

george

 

[Andreware]

If the sites are all within the domain, you shouldn't have to create
OU's at each individual site.

I have multiple sites, and when I change something on Site 1, Site 2 is
gonna hear about it!

If the groups are *global* then they should be *globally* addressable.
Again, I'm assuming you are using different sites/servers in the same
domain. If they aren't in the same domain, or even the same forest
(where global groups would still apply), then yes, you would have to
make separate groups/OU's.

I have OU's for 'employees', 'administrators', and 'customers'. Each
one has a separate policy for access restrictions, IPSec, etc. This
way it isn't so hard.

Are you in mixed-mode with an NT4 machine running as a BDC? If so, you
would have a problem with OU's because NT4 couldn't differentiate
betwee the OU's. But then again NT4 can't even read GP's anyway.

If the domains are in separate forests, maybe it's time for you to plan
a network redesign as it sounds like they belong in the same forest.