Ryan,

I believe this will work even better than I hoped.

http://www.frickelsoft.net/blog/?p=13

I can add mydomain\SalesAdmins to the local Administrators group, or
even force the membership of Administrators to be mydomain\SalesAdmins.

Outstanding

/Ed

On Tue, 2011-09-20 at 14:14 +0000, Ryan M. Finn wrote:
> You could use two policies and set them as follows:
> 
> Policy #1
> Applies to: Sales Computers
> Policy Settings: Windows Settings > Security Settings > Restricted Groups
> Set up a restricted group call Remote Desktop Users and add DOMAIN\Sales Admins into it
> 
> Policy #2
> Same as #1, but apply to Manu Computers and add DOMAIN\Manu Admins to group
> 
> This will make it so anyone added to the proper AD security group can remote control the computers in the GPO.  It also prevents anyone from logging on to the server locally and changing who can remote in, without your knowledge.
> 
> I'm doing this from memory, so bear with me.
> 
> If I've taken a swing-and-a-miss at your question, please ridicule me.  :-)
> 
> Ryan M. Finn
> Systems Administrator
> Michigan State University
> 
> -----Original Message-----
> From: Ed Symanzik [mailto:[log in to unmask]] 
> Sent: Tuesday, September 20, 2011 9:48 AM
> To: [log in to unmask]
> Subject: [MSUNAG] Active Directory GPO
> 
> Newbie Active Directory question for y'all.
> 
> Let's say I have a two groups of computers: Sales and Manufacturing; and two groups of users: Sales Admins and Manufacturing Admins.  I would like to create a policy that dictates that only administrators may access servers remotely.  How can I apply this policy to both groups of computers but have administrators mean Sales Admins in one case and Manufacturing Admins in the other?
> 
> Sorry, but I don't even know what to search for to get the answer myself.
> 
> Thanks,
> 
> --
> Ed Symanzik, ATS
> 
> 
>