• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Pseudo Local Administrator Group

P

Pederv

Golden Member
I was thinking that you could create a local group and make it a member of the local administrator group and then limit the rights of the nested group so it couldn't modify the members of the administrator group but still have the power of an administrator and add members to all of the local groups except the local administrator. Is there a way to do this? Does the created group need a security certificate or something?
 
No, you can't do that.

There's no such thing as "I want to have an administrator who can do everything but...."

Administrators can do everything. And can find a way around any roadblocks you put in front of them if they're smart enough.
 
Thanks for the reply.
I think, if I'm understanding Group Policy correctly, that a local group cannot be nested in the built in local groups. But a Domain, Global or Universal group can be nested in a local group and if the user is a member of one of those groups then their access can be limited.
 
Group Membership and GPOs are seperate.

(in a W2K Domain)
Local groups can contain: Any other kind of group/user/computer except another local group.
Domain Global groups can contain: Any Domain group, domain user/computer and any Universal group.
Universal Group: Can contain any Forest user/computer

I'm having trouble trying to figure out exactly what you want to accomplish. I think what you want to do is allow some Domain Users to manage (local) group membership on a particular server. If that's the case, go ahead and use the Account Managers group.
What is the link between the group membership questions and GPOs?
 
The goal was to give a local user admin rights to everything except the ability to edit or add users on the system, while at the same time allowing certain users the ability to add or edit users on the same machine.
I ended up locking down the Local Users and Groups and the Local Group Policy so that some one on the machine couldn't access them. As an admin on the domain I can use the Users and Groups applet or the Group Policy applet and remote into the machine and change user rights. It's not quite what I wanted, but it'll work.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top