2008 Group Policy Question

billybob01billybob01 Member Posts: 504
in Off-Topic
I am looking for a way to add a security group to all workstations on our domain, so that i can add a selection of users to install sotware.

Any ideas?
· Share on FacebookShare on Twitter

Comments

  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Sounds like you want to implement Restricted Groups. Be careful with RGs as they REPLACE the users/groups on all workstations. So you would have to manage a constant list.
    My blog http://www.calegp.com

    You may learn something!
    · Share on FacebookShare on Twitter
  • qcomerqcomer Member Posts: 142
    Mishra wrote: »
    Sounds like you want to implement Restricted Groups. Be careful with RGs as they REPLACE the users/groups on all workstations. So you would have to manage a constant list.

    Or you can use restricted groups on the group level:

    Create a new group, add your users to it. Use Restricted Groups to add this to the local admin group. There is an option in restricted groups to do it this way so it doesnt not replace any other accounts in the current local admins group, it just adds the group you selected.

    This is how Ive added the sccm admin accounts and stuff to our local admins without replacing current local admins.
    · Share on FacebookShare on Twitter
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Yes, this. This is how we enforce our tech support group remain in local admins, even if someone tries to be cute and remove them.

    You can use restricted groups to dictate the membership of a group, or you can use them to give a list of groups that an account (user or group) should always be a member of. We're using RG's both to lock down the elevated Built-in groups in our domain, and to enforce the policy that tech support is always in local admins for our desktops.
    qcomer wrote: »
    Or you can use restricted groups on the group level:

    Create a new group, add your users to it. Use Restricted Groups to add this to the local admin group. There is an option in restricted groups to do it this way so it doesnt not replace any other accounts in the current local admins group, it just adds the group you selected.

    This is how Ive added the sccm admin accounts and stuff to our local admins without replacing current local admins.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
    · Share on FacebookShare on Twitter
  • billybob01billybob01 Member Posts: 504
    Cool, thanks guys, tried the RG option and it works a treat. Thanks again. :)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.