Aren’t Restricted Groups great?  I love how they keep our groups safe.  Now, what are Primary Groups again?  Oh, that’s the Domain Users group, right?  What do Primary Groups have to do with Restricted Groups?  Here’s a scenario… You’re the domain admin for your organization and management just informed you that you need to grant temporary domain admin rights to an application owner to do his install.  You’re not thrilled with t... [More]

The protection and management of built-in administrative groups in Active Directory helps to provide us confidence and security in the stability and ownership of our domain and resources. These groups tend to become overrun with unintended or forgotten membership; requiring our diligent attention and constant effort to maintain. This is really what Restricted Groups are intended for but it rarely seems to be used in this manner. More often we see Restricted Groups being used to protect the loca... [More]

Some time ago I had a request to create local user accounts on laptops and to provide those user accounts with administrative access and they wanted this done in an automated manner.  Of course Restricted Groups immediately came to mind until they told me that they wanted local usernames to match their domain names.  They only wanted the users to have this configuration when the laptops would be taken into the field for an extended period of time where they would not be on the corporat... [More]

One of my all-time favorite group policy settings is DNS Servers in the Network / DNS Client node under Administrative Templates. Now this policy setting only applies to XP and while I don't know the exact reason, I can speculate. While I was doing a migration I was presented with a challenge. I needed to migrate some workstations by business unit rather than by subnet or DHCP scope. So, I may have two machines sitting right next to each other that each used the same DHCP server and were part o... [More]