Printable View
Can you use the GPO 'Restricted Groups' setting for local groups?
I need to place the 'Domain Admin' global group back into the 'Local Admins'
on computers with users who have local admin rights -> hmmm :-(
The Online Help for this topic says 'Local Groups' are not supported, which
is confirmed by my testing. Is there a work around?
When specifying the local Administrators group type builtin\administrators
rather than going to Browse and selecting Administrators.
Or use the 'browse', but change the source in the "select objects from..."
box (as long as you are not on a DC at the time, you will get the local
accounts list to choose from)
Don't forget that restricted groups does a rip-and-replace, not a merge.
Thank U, using 'builtin\Administrators' on a non DC server worked. :-)
Ok, I can see restrictive groups for the whole domain but how do I get to the one in OU? (Using server 2008)
I used gpedit.msc and can't see restrictive groups when I go in there... Please help, I think I understand the rest, I am just not sure which restrictive groups to put it in...
Use Group Policy Management Console rather that gpedit.msc. Refer to
http://technet.microsoft.com/en-us/l.../cc759123.aspx
From the looks of the article, it says not to edit the default domain policy... is the best practice here just to create a new policy for your company and leave the defaults in place? (It's a small shop of about 30 people and only 15 computers).
That would be my recommendation. It makes it easier to fall back to the
original state in case of problems...
Thank you for your help.