Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Should I use Restricted Groups for this?

Status
Not open for further replies.
BrotherJones

BrotherJones

Technical User
Jun 3, 2006
47
US
Hello all,
I am working for a group of developers. I have created an OU structure in AD that has all of the developers and their workstations under it. Under the developers OU there is an OU called computers - and underneath computers are two OUs - desktops and servers. I would like to give one of the developers administrative rights to all of the servers under the servers OU, but would like to do this via a policy (so that any other machines added to the servers OU automatically assign that specific developer admin rights to the machine). This developer cannot have domain admin rights and shouldn't have admin rights to any other OU other than the servers OU. From what I have read so far, using the Restricted Groups GPO settings may be able to do this (but haven't figured it out yet). Just wondering if this is the way to go, or should I be looking at another way to solve this?
thanks.
 
Sort by date Sort by votes
Well, the only caveat with using Restricted Groups is that you understand that the policy will CHANGE the group to match EXACTLY what's in the policy - that includes removing others already in that group.

Just keep that in mind.

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Thanks for the reply Pat. Just curious, is this the proper way to go about accomplishing what I want to do, or is there a more efficient way?
 
Upvote 0 Downvote
Yeah restricted groups is the correct way to do this, although if you're only talking about a couple of servers it would be less hassle to add them to the local admin groups on the servers directly.
 
Upvote 0 Downvote
i assume that none of the servers are dc's ?

if they are then it will not work as the servers shouldnt be moved to another ou as they will only use the defaulr dc policy

if they are non dc's (not sure if member server is still correct term now?) then the use of restricted group is the best method
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
698
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
576
mangentle
mangentle
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
988
gbaughma
gbaughma
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
592
fightaccording
fightaccording
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
282
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top