S
Shayne D. Swann
This kinda defeats the purpose of restricted groups but my company is
currently redesigning their group policy infrastructure and have decided to
used restricted groups.
Currently their are quite a few users who are members of the local
administrators group of their assigned workstation because of business
requirements.
Goal:
To implement the use of restricted groups while allowing the current local
administrators of a system to remain local administrators.
We have thought of a few work arounds but here are some of the problems we
are facing:
1. Gather all of the members that will need local administrator rights on
their workstations to a domain local group and adding that group to the
restricted group we place on the workstations.
The problem with this is we dont want to grant all users in this group local
admin rights to all of the computers.
2. Use computer login scripts to add the specfied domain groups to the local
administrators group with out using restricted groups.
The problem with this is their is no group policy refresh, and these groups
(if a local administrator removes them) will only apply at computer logon.
Is their any known "happy medium" for meeting this requirement?
currently redesigning their group policy infrastructure and have decided to
used restricted groups.
Currently their are quite a few users who are members of the local
administrators group of their assigned workstation because of business
requirements.
Goal:
To implement the use of restricted groups while allowing the current local
administrators of a system to remain local administrators.
We have thought of a few work arounds but here are some of the problems we
are facing:
1. Gather all of the members that will need local administrator rights on
their workstations to a domain local group and adding that group to the
restricted group we place on the workstations.
The problem with this is we dont want to grant all users in this group local
admin rights to all of the computers.
2. Use computer login scripts to add the specfied domain groups to the local
administrators group with out using restricted groups.
The problem with this is their is no group policy refresh, and these groups
(if a local administrator removes them) will only apply at computer logon.
Is their any known "happy medium" for meeting this requirement?