J
JASONT
wHAT DOES THE RESTRICTED GROUPS FOLDER ACTUALLY DO?
T
Tim Hines [MSFT]
Are you referring to the restricted groups policy setting? If so it allows
you to add or remove users from local groups on domain members. Some people
use it to add a group of users to the local administrators group on each
workstation in the domain so that they do not have to visit each DC and do
this manually. I've pasted a description of the setting below.
Restricted Groups
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Description
Restricted groups allow an administrator to define two properties for
security-sensitive groups (that is, "restricted" groups).
The two properties are Members and Member Of. The Members list defines who
should and should not belong to the restricted group. The Member Of list
specifies which other groups the restricted group should belong to.
When a restricted Group Policy is enforced, any current member of a
restricted group that is not on the Members list is removed. Any user on the
Members list which is not currently a member of the restricted group is
added.
Note
The Restricted Groups folder is available only in Group Policy objects
associated with domains, OUs, and sites. The Restricted Groups folder does
not appear in the Local Computer Policy object.
If a Restricted Group is defined such that it has no members (that is, the
Members list is empty), then all members of the group are removed when the
policy is enforced on the system. If the Member Of list is empty no changes
are made to any groups that the restricted group belongs to. In short, an
empty Members list means the restricted group should have no members while
an empty Member Of list means "don't care" what groups the restricted group
belongs to.
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
you to add or remove users from local groups on domain members. Some people
use it to add a group of users to the local administrators group on each
workstation in the domain so that they do not have to visit each DC and do
this manually. I've pasted a description of the setting below.
Restricted Groups
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Description
Restricted groups allow an administrator to define two properties for
security-sensitive groups (that is, "restricted" groups).
The two properties are Members and Member Of. The Members list defines who
should and should not belong to the restricted group. The Member Of list
specifies which other groups the restricted group should belong to.
When a restricted Group Policy is enforced, any current member of a
restricted group that is not on the Members list is removed. Any user on the
Members list which is not currently a member of the restricted group is
added.
Note
The Restricted Groups folder is available only in Group Policy objects
associated with domains, OUs, and sites. The Restricted Groups folder does
not appear in the Local Computer Policy object.
If a Restricted Group is defined such that it has no members (that is, the
Members list is empty), then all members of the group are removed when the
policy is enforced on the system. If the Member Of list is empty no changes
are made to any groups that the restricted group belongs to. In short, an
empty Members list means the restricted group should have no members while
an empty Member Of list means "don't care" what groups the restricted group
belongs to.
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
B
Brian Desmond [MVP]
use it to add a group of users to the local administrators group on each
I think you mean each machine - DCs don't have local admins.
--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us
Http://www.briandesmond.com
I think you mean each machine - DCs don't have local admins.
--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us
Http://www.briandesmond.com
T
Tim Hines [MSFT]
Thanks Brian, that is what I meant. I started off saying it right by saying
"use it to add a group of users to the local administrators group on each
workstation in the domain " then I made the error of saying DC.
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
"use it to add a group of users to the local administrators group on each
workstation in the domain " then I made the error of saying DC.
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.