SCCMNAP BLOGS

Supporting System Center & Forefront Security and Identity Mangement
Welcome to SCCMNAP BLOGS Sign in | Join | Help
in Search
Home Blogs Forums Photos Downloads

This Blog

Syndication

News

I’ve worked in the field of Systems Management since 1990, performing integration and automation through the use of Microsoft technologies such as System Center Configuration Manager 2007, Operations Manager, Service Manager, SQL Server 2008 & Reporting Services, Visual Studio, and SharePoint with InfoPath Integration. I am proficient on SCCM, Microsoft's Hyper V Virtualization technology, and Failover Clustering & Network Load Balancer Services. I have also worked extensively with SCCM Network Access Protection and enjoy learning new technologies. I am also a Microsoft Partner. I started work at Microsoft in 2005 in the SMS/SCCM team of MSIT, which later became the Management Platforms & Services Delivery group in the Management Services division. In MPSD I managed our Lab, Preproduction & Production environments using Microsoft's Hyper V technology. These environments support several SCCM infrastructures which include the management of 200,000 managed desktops across Microsoft. Prior to working at Microsoft I worked for Warner Bros/AOL Time Warner, NBC Studios, AT&T WorldNet Service, 24 Hour Fitness, State of California Health Department, Northrop Grumman, NOS Communications, GE Capital, KLA Tencor, Wells Fargo Mortgage Bank, Dudeworks, TeleTech, and TekSystems. Specialties:System Center Configuration Manager 2007, Service Manager, Virtual Machine Manager 2007 R2, Operations Manager 2007 R2, Hyper V, SQL Server, Scripting, Visual Studio, SharePoint Services and InfoPath Integrations and Systems Center Essentials.

Friend Blogs

Richard Got NAPd

The title “Richard Got NAPd” was born back 2005 when I first joined Microsoft and participated in Microsoft’s 1st deployment rollout of System Center Configuration Managers 2007 Network Access Protection (NAP) which was a 3 year project. As a member of MSIT during this deployment, it gave me allot of insight into network intrusion protection and security compliance. So the title implies I that was intrigued by the integrated technology of Network Access Protection and systems management and compliance monitoring which consumed the first 3 years of my time at Microsoft.

How to Add domain accounts to Local Administrators Group using GPO

There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
1

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
2

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.

Members of this group

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
3

This group is a member of

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
4

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.

Published Jun 17 2008, 10:55 PM by Richard Dixon
Filed under: , ,

Comments

No Comments

About Richard Dixon

I’ve worked in the field of Systems Management since 1990, performing integration and automation through the use of Microsoft technologies such as System Center Configuration Manager 2007, Operations Manager, Service Manager, SQL Server 2008 & Reporting Services, Visual Studio, and SharePoint with InfoPath Integration. I am proficient on SCCM, Microsoft's Hyper V Virtualization technology, and Failover Clustering & Network Load Balancer Services. I have also worked extensively with SCCM Network Access Protection and enjoy learning new technologies. I am also a Microsoft Partner. I started work at Microsoft in 2005 in the SMS/SCCM team of MSIT, which later became the Management Platforms & Services Delivery group in the Management Services division. In MPSD I managed our Lab, Preproduction & Production environments using Microsoft's Hyper V technology. These environments support several SCCM infrastructures which include the management of 200,000 managed desktops across Microsoft. Prior to working at Microsoft I worked for Warner Bros/AOL Time Warner, NBC Studios, AT&T WorldNet Service, 24 Hour Fitness, State of California Health Department, Northrop Grumman, NOS Communications, GE Capital, KLA Tencor, Wells Fargo Mortgage Bank, Dudeworks, TeleTech, and TekSystems. Specialties:System Center Configuration Manager 2007, Service Manager, Virtual Machine Manager 2007 R2, Operations Manager 2007 R2, Hyper V, SQL Server, Scripting, Visual Studio, SharePoint Services and InfoPath Integrations and Systems Center Essentials.
Copyright © SCCMNAP. 2007 All Rights reserved.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems