|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Question concerning Restricted Groups. Adding a local user accountThe OU my workstations are in uses Restricted Groups in a GPO. One of the groups added to this list is the local Administrators group so we can restrict what domain users and groups are given local admin rights to the workstations. We need to add a new "local" account (let's call it "newlocal") to each workstation and make this account a "local" admin. I have a script to accomplish this, but need the AD folks to make a change to the Restricted groups setting in the GPO to add this new "local" account to the Administrators list in the restricted group. This is so the new account will not be removed once policies are enforced. Isn't ok to just to simply Add the "newlocal" account to the list of allowed Administrators in the Restricted Group policy? Will this cause any issues? The reason I ask is because one of the AD guys I talked to didn't think they could add any account that wasn't a member of the domain. This account isn't a member of the domain, but will be a new local account that will be added to the local admin group via a script. Thx > Isn't ok to just to simply Add the "newlocal" account to the list of No it will not cause any issues. This is the correct way of doing this.> allowed Administrators in the Restricted Group policy? Will this cause any > issues? > The reason I ask is because one of the AD guys I talked to didn't think You can add a non-domain user. Whereas domain user's are represented as > they could add any account that wasn't a member of the domain DOMAIN\User this will be WORKSTATION\User. However, the GPO Editor won't be able to resolve the SID of the User unless you use a workstation with this user. However, that doesn't matter as the SID will differ on each box. As long as the name is entered correctly it will resolve to the necessary SID at GPO application and you'll be fine. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Very good. So all I need to do is add "newlocal" to the list and I don't need
to put something like WORKSTATION\newlocal. I went ahead and added "newlocal" in my test environment GPO and it seems to work fine. However, I do not support AD directly and need to defer to our production AD support folks on this stuff. Thanks! Show quoteHide quote "Paul Williams [MVP]" wrote: > > Isn't ok to just to simply Add the "newlocal" account to the list of > > allowed Administrators in the Restricted Group policy? Will this cause any > > issues? > > No it will not cause any issues. This is the correct way of doing this. > > > > The reason I ask is because one of the AD guys I talked to didn't think > > they could add any account that wasn't a member of the domain > > You can add a non-domain user. Whereas domain user's are represented as > DOMAIN\User this will be WORKSTATION\User. However, the GPO Editor won't be > able to resolve the SID of the User unless you use a workstation with this > user. However, that doesn't matter as the SID will differ on each box. As > long as the name is entered correctly it will resolve to the necessary SID > at GPO application and you'll be fine. > > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > > > Correct. Adding an unqualified name (without a domain) will cause the
machine that is processing the policy to check the local SAM. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Outstanding. Thanks.
Show quoteHide quote "Paul Williams [MVP]" wrote: > Correct. Adding an unqualified name (without a domain) will cause the > machine that is processing the policy to check the local SAM. > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > > > 
Other interesting topics
Domain Users Can't Print to Networked Printer
Primary time server CSVDE Import Problem Remove server frmo AD how to disable USB sticks through AD Event log entries regarding KCC error RIS file copy fails after 3rd pc starts build a new company External Trust Problem cannot login locally to 2k servers after live comm server install |
|||||||||||||||||||||||
