| Author | Messages | |
AD000001290
Posts:0
 | | 02/24/2006 10:49 AM |
| Here is a question put to me by a colleague:
"Does anyone know if it is possible to set a GPO only for users that are local administrators without using AD groups? e.g. if you wanted to set a particular setting for users who have their user accounts explicitly added to the local admins group on their box rather than via group membership."
Is this possible? My initial thought is to use WMI filters, but this could be expensive.
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| deppdm@xxxx.yyy
| | 02/24/2006 1:10 AM |
| Yes this is possible using restricted groups. Instead of defining the
explicit membership of a group, you can use restricted groups to add a
member to a local group. Check out KB article 228496
Dennis
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, February 24, 2006 5:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Apply a GPO only to users who are local admins
Here is a question put to me by a colleague:
"Does anyone know if it is possible to set a GPO only for users that are
local administrators without using AD groups? e.g. if you wanted to set
a particular setting for users who have their user accounts explicitly
added to the local admins group on their box rather than via group
membership."
Is this possible? My initial thought is to use WMI filters, but this
could be expensive.
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001290
Posts:0
| | 02/24/2006 1:44 AM |
| Let me re-word my question :)
- A GPO exists which is linked to the domainDNS object
- It has User config settings
- The requirement is that these settings only be applied to domain user
objects which are also members of the local admin group on the domain
member machine that they are logged on at.
Is this possible?
Thanks,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Depp, Dennis M.
Sent: 24 February 2006 13:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Apply a GPO only to users who are local admins
Yes this is possible using restricted groups. Instead of defining the
explicit membership of a group, you can use restricted groups to add a
member to a local group. Check out KB article 228496
Dennis
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, February 24, 2006 5:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Apply a GPO only to users who are local admins
Here is a question put to me by a colleague:
"Does anyone know if it is possible to set a GPO only for users that are
local administrators without using AD groups? e.g. if you wanted to set
a particular setting for users who have their user accounts explicitly
added to the local admins group on their box rather than via group
membership."
Is this possible? My initial thought is to use WMI filters, but this
could be expensive.
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of communication
and Nomura International plc ('NIplc') will not, to the extent permitted
by law, accept responsibility or liability for (a) the accuracy or
completeness of, or (b) the presence of any virus, worm or similar
malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of the author and do not necessarily represent those of NIplc; (3)
is intended for informational purposes only and is not a recommendation,
solicitation or offer to buy or sell securities or related financial
instruments. NIplc does not provide investment services to private
customers. Authorised and regulated by the Financial Services Authority.
Registered in England no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura
group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| darren.marelia@xxxx.yyy
| | 02/24/2006 4:19 AM |
| Neil-
That is a tough one. What you're trying to do is essentially filter a
user policy based on transient (i.e. it could change at any time)
computer criteria (member machine local group membership). Its always
difficult to do that if you're not using something like loopback, which
probably wouldn't work here anyway. A WMI filter might work if you could
craft a WQL statement that can get the currently logged on user and
query to see if they are in the local Admin group, but, that's beyond my
WMI knowledge. Maybe if Alain is lurking...
Darren
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, February 24, 2006 5:40 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Apply a GPO only to users who are local admins
Let me re-word my question :)
- A GPO exists which is linked to the domainDNS object
- It has User config settings
- The requirement is that these settings only be applied to domain user
objects which are also members of the local admin group on the domain
member machine that they are logged on at.
Is this possible?
Thanks,
neil
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Depp, Dennis M.
Sent: 24 February 2006 13:09
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Apply a GPO only to users who are local admins
Yes this is possible using restricted groups. Instead of defining the
explicit membership of a group, you can use restricted groups to add a
member to a local group. Check out KB article 228496
Dennis
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxx
Sent: Friday, February 24, 2006 5:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Apply a GPO only to users who are local admins
Here is a question put to me by a colleague:
"Does anyone know if it is possible to set a GPO only for users that are
local administrators without using AD groups? e.g. if you wanted to set
a particular setting for users who have their user accounts explicitly
added to the local admins group on their box rather than via group
membership."
Is this possible? My initial thought is to use WMI filters, but this
could be expensive.
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of communication
and Nomura International plc ('NIplc') will not, to the extent permitted
by law, accept responsibility or liability for (a) the accuracy or
completeness of, or (b) the presence of any virus, worm or similar
malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of the author and do not necessarily represent those of NIplc; (3)
is intended for informational purposes only and is not a recommendation,
solicitation or offer to buy or sell securities or related financial
instruments. NIplc does not provide investment services to private
customers. Authorised and regulated by the Financial Services Authority.
Registered in England no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura
group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|