Default Security Groups

By default, the Domain Admins group is a member of the Administrators group
on all computers that have joined a domain, including the domain
controllers.

Does anyone know how to change this default behaviour? Specifically we would
like to add a second security group to the computers administrator group,
based on which OU the computer was created prior to joining, without using
scripts.

hi,
you can use restricted groups

if dont want to wipe the local administrators group you have to use
restricted groups memberof behavior :
http://support.microsoft.com/kb/810076
--
Dragos CAMARA
MCSA Windows 2003 server


"Mike" wrote:

> By default, the Domain Admins group is a member of the Administrators group
> on all computers that have joined a domain, including the domain
> controllers.
>
> Does anyone know how to change this default behaviour? Specifically we would
> like to add a second security group to the computers administrator group,
> based on which OU the computer was created prior to joining, without using
> scripts.
>
>
>
>
>
>
>
>

Thanks Dragos.



There's no way of leaving the groups and users that are currently in the
administrators security group? Particularly individual users accounts.



"Dragos CAMARA" <> wrote in message
news:2F0B63E5-9127-4294-8E8D-...
> hi,
> you can use restricted groups
>
> if dont want to wipe the local administrators group you have to use
> restricted groups memberof behavior :
> http://support.microsoft.com/kb/810076
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "Mike" wrote:
>
>> By default, the Domain Admins group is a member of the Administrators
>> group
>> on all computers that have joined a domain, including the domain
>> controllers.
>>
>> Does anyone know how to change this default behaviour? Specifically we
>> would
>> like to add a second security group to the computers administrator group,
>> based on which OU the computer was created prior to joining, without
>> using
>> scripts.
>>
>>
>>
>>
>>
>>
>>
>>

Hi
instead of using members of this group, you use, this group is member Of.


--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Mike" <> wrote in message
news:...
> Thanks Dragos.
>
>
>
> There's no way of leaving the groups and users that are currently in the
> administrators security group? Particularly individual users accounts.
>
>
>
> "Dragos CAMARA" <> wrote in message
> news:2F0B63E5-9127-4294-8E8D-...
>> hi,
>> you can use restricted groups
>>
>> if dont want to wipe the local administrators group you have to use
>> restricted groups memberof behavior :
>> http://support.microsoft.com/kb/810076
>> --
>> Dragos CAMARA
>> MCSA Windows 2003 server
>>
>>
>> "Mike" wrote:
>>
>>> By default, the Domain Admins group is a member of the Administrators
>>> group
>>> on all computers that have joined a domain, including the domain
>>> controllers.
>>>
>>> Does anyone know how to change this default behaviour? Specifically we
>>> would
>>> like to add a second security group to the computers administrator
>>> group,
>>> based on which OU the computer was created prior to joining, without
>>> using
>>> scripts.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
>

Yes

computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articl...ed-Groups.html

http://www.microsoft.com/technet/pro...a15c18f6a.mspx

http://www.microsoft.com/resources/d...ictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mike" <> wrote in message
news:...
> Thanks Dragos.
>
>
>
> There's no way of leaving the groups and users that are currently in the
> administrators security group? Particularly individual users accounts.
>
>
>
> "Dragos CAMARA" <> wrote in message
> news:2F0B63E5-9127-4294-8E8D-...
>> hi,
>> you can use restricted groups
>>
>> if dont want to wipe the local administrators group you have to use
>> restricted groups memberof behavior :
>> http://support.microsoft.com/kb/810076
>> --
>> Dragos CAMARA
>> MCSA Windows 2003 server
>>
>>
>> "Mike" wrote:
>>
>>> By default, the Domain Admins group is a member of the Administrators
>>> group
>>> on all computers that have joined a domain, including the domain
>>> controllers.
>>>
>>> Does anyone know how to change this default behaviour? Specifically we
>>> would
>>> like to add a second security group to the computers administrator
>>> group,
>>> based on which OU the computer was created prior to joining, without
>>> using
>>> scripts.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
>

as i said use memberof behahior to keep members and just add another group
there, or use members to wipe the group and add ONLY the users/groups you
specify.
--
Dragos CAMARA
MCSA Windows 2003 server


"Mike" wrote:

> Thanks Dragos.
>
>
>
> There's no way of leaving the groups and users that are currently in the
> administrators security group? Particularly individual users accounts.
>
>
>
> "Dragos CAMARA" <> wrote in message
> news:2F0B63E5-9127-4294-8E8D-...
> > hi,
> > you can use restricted groups
> >
> > if dont want to wipe the local administrators group you have to use
> > restricted groups memberof behavior :
> > http://support.microsoft.com/kb/810076
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "Mike" wrote:
> >
> >> By default, the Domain Admins group is a member of the Administrators
> >> group
> >> on all computers that have joined a domain, including the domain
> >> controllers.
> >>
> >> Does anyone know how to change this default behaviour? Specifically we
> >> would
> >> like to add a second security group to the computers administrator group,
> >> based on which OU the computer was created prior to joining, without
> >> using
> >> scripts.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
>
>
>

Yes but this wipes any users that have been added 'to the local
administrators group.




"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:...
> Yes
>
> computer configuration \ windows settings \ restricted groups
>
> group = your group to be made local admins
> member of = BUILTIN\Administrators
>
>
>
> http://www.windowsecurity.com/articl...ed-Groups.html
>
> http://www.microsoft.com/technet/pro...a15c18f6a.mspx
>
> http://www.microsoft.com/resources/d...ictgroups.mspx
>
>
> There is absolutely nothing that has to be done on the client side.
>
> Create the gpo in the ou where the Computers reside (NOT the users), go to
> computer configuration/windows settings/security settings/restricted
> groups, right click on restricted groups and select new group (For the
> local computers, this group name should be - administrators) and key in
> the group you want auto populated. Select add on the Members of this
> group and then add the members you want populated.
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Mike" <> wrote in message
> news:...
>> Thanks Dragos.
>>
>>
>>
>> There's no way of leaving the groups and users that are currently in the
>> administrators security group? Particularly individual users accounts.
>>
>>
>>
>> "Dragos CAMARA" <> wrote in message
>> news:2F0B63E5-9127-4294-8E8D-...
>>> hi,
>>> you can use restricted groups
>>>
>>> if dont want to wipe the local administrators group you have to use
>>> restricted groups memberof behavior :
>>> http://support.microsoft.com/kb/810076
>>> --
>>> Dragos CAMARA
>>> MCSA Windows 2003 server
>>>
>>>
>>> "Mike" wrote:
>>>
>>>> By default, the Domain Admins group is a member of the Administrators
>>>> group
>>>> on all computers that have joined a domain, including the domain
>>>> controllers.
>>>>
>>>> Does anyone know how to change this default behaviour? Specifically we
>>>> would
>>>> like to add a second security group to the computers administrator
>>>> group,
>>>> based on which OU the computer was created prior to joining, without
>>>> using
>>>> scripts.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>
>

I want to keep the existing members on the local machine, and add my
management group to the local administrators group. I've tested this
scenario and as i said before - There's no way of leaving the groups and
users that are currently in the local machines administrators security
group? Particularly individual users accounts.


"Dragos CAMARA" <> wrote in message
news:1246D274-075B-486D-B52B-...
> as i said use memberof behahior to keep members and just add another group
> there, or use members to wipe the group and add ONLY the users/groups you
> specify.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "Mike" wrote:
>
>> Thanks Dragos.
>>
>>
>>
>> There's no way of leaving the groups and users that are currently in the
>> administrators security group? Particularly individual users accounts.
>>
>>
>>
>> "Dragos CAMARA" <> wrote in message
>> news:2F0B63E5-9127-4294-8E8D-...
>> > hi,
>> > you can use restricted groups
>> >
>> > if dont want to wipe the local administrators group you have to use
>> > restricted groups memberof behavior :
>> > http://support.microsoft.com/kb/810076
>> > --
>> > Dragos CAMARA
>> > MCSA Windows 2003 server
>> >
>> >
>> > "Mike" wrote:
>> >
>> >> By default, the Domain Admins group is a member of the Administrators
>> >> group
>> >> on all computers that have joined a domain, including the domain
>> >> controllers.
>> >>
>> >> Does anyone know how to change this default behaviour? Specifically we
>> >> would
>> >> like to add a second security group to the computers administrator
>> >> group,
>> >> based on which OU the computer was created prior to joining, without
>> >> using
>> >> scripts.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>>
>>

To keep existing groups:
- Create a Security Group in AD using ADUC, for example: "HelpDeskAdmis".
- Create a New Policy "Restricted Groups Policy", and link it to the correct
OU where the computers that you want to apply this policy are.
- Edit the policy and go to-> Computer Configuration->Windows
Settings->restricted groups.
- Choose Add new group, and search for the HelpDeskAdmis security group and
add it. will become something like Mydomain\HelpDeskAdmis.
- Instead of using Members of this group, you'll choose This "Group is a
member of" option and choose add, then type "builtin\Administrators". Choose
Ok twice.
DONE.


--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Mike" <> wrote in message
news:%...
>
>
> I want to keep the existing members on the local machine, and add my
> management group to the local administrators group. I've tested this
> scenario and as i said before - There's no way of leaving the groups and
> users that are currently in the local machines administrators security
> group? Particularly individual users accounts.
>
>
> "Dragos CAMARA" <> wrote in message
> news:1246D274-075B-486D-B52B-...
>> as i said use memberof behahior to keep members and just add another
>> group
>> there, or use members to wipe the group and add ONLY the users/groups you
>> specify.
>> --
>> Dragos CAMARA
>> MCSA Windows 2003 server
>>
>>
>> "Mike" wrote:
>>
>>> Thanks Dragos.
>>>
>>>
>>>
>>> There's no way of leaving the groups and users that are currently in the
>>> administrators security group? Particularly individual users accounts.
>>>
>>>
>>>
>>> "Dragos CAMARA" <> wrote in message
>>> news:2F0B63E5-9127-4294-8E8D-...
>>> > hi,
>>> > you can use restricted groups
>>> >
>>> > if dont want to wipe the local administrators group you have to use
>>> > restricted groups memberof behavior :
>>> > http://support.microsoft.com/kb/810076
>>> > --
>>> > Dragos CAMARA
>>> > MCSA Windows 2003 server
>>> >
>>> >
>>> > "Mike" wrote:
>>> >
>>> >> By default, the Domain Admins group is a member of the Administrators
>>> >> group
>>> >> on all computers that have joined a domain, including the domain
>>> >> controllers.
>>> >>
>>> >> Does anyone know how to change this default behaviour? Specifically
>>> >> we
>>> >> would
>>> >> like to add a second security group to the computers administrator
>>> >> group,
>>> >> based on which OU the computer was created prior to joining, without
>>> >> using
>>> >> scripts.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>>
>>>
>>>
>
>

Not if you follow my directions. I use it for similar purposes and it works
just fine.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mike" <> wrote in message
news:...
>
> Yes but this wipes any users that have been added 'to the local
> administrators group.
>
>
>
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:...
>> Yes
>>
>> computer configuration \ windows settings \ restricted groups
>>
>> group = your group to be made local admins
>> member of = BUILTIN\Administrators
>>
>>
>>
>> http://www.windowsecurity.com/articl...ed-Groups.html
>>
>> http://www.microsoft.com/technet/pro...a15c18f6a.mspx
>>
>> http://www.microsoft.com/resources/d...ictgroups.mspx
>>
>>
>> There is absolutely nothing that has to be done on the client side.
>>
>> Create the gpo in the ou where the Computers reside (NOT the users), go
>> to computer configuration/windows settings/security settings/restricted
>> groups, right click on restricted groups and select new group (For the
>> local computers, this group name should be - administrators) and key in
>> the group you want auto populated. Select add on the Members of this
>> group and then add the members you want populated.
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Mike" <> wrote in message
>> news:...
>>> Thanks Dragos.
>>>
>>>
>>>
>>> There's no way of leaving the groups and users that are currently in the
>>> administrators security group? Particularly individual users accounts.
>>>
>>>
>>>
>>> "Dragos CAMARA" <> wrote in message
>>> news:2F0B63E5-9127-4294-8E8D-...
>>>> hi,
>>>> you can use restricted groups
>>>>
>>>> if dont want to wipe the local administrators group you have to use
>>>> restricted groups memberof behavior :
>>>> http://support.microsoft.com/kb/810076
>>>> --
>>>> Dragos CAMARA
>>>> MCSA Windows 2003 server
>>>>
>>>>
>>>> "Mike" wrote:
>>>>
>>>>> By default, the Domain Admins group is a member of the Administrators
>>>>> group
>>>>> on all computers that have joined a domain, including the domain
>>>>> controllers.
>>>>>
>>>>> Does anyone know how to change this default behaviour? Specifically we
>>>>> would
>>>>> like to add a second security group to the computers administrator
>>>>> group,
>>>>> based on which OU the computer was created prior to joining, without
>>>>> using
>>>>> scripts.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>