Re: Rights to local machine

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/26/04 

Date: Tue, 25 May 2004 17:27:50 -0700

Inside of GPOs there is Restricted Groups node.
If in a GPO linked to an OU containing the machines
to be impacted, you define a Administrators entry in
Restricted Groups, then you can specifiy exactly what
should be in the Administrators group on impacted
machines, and optionally you may also define what
groups a Restricted Group is itself a member within.

However, the membership(s) you define in Restricted
Groups are exact, that is, they do not add to what is
there, but will replace what is there. For this reason
you need to be able to define the same membership on
all machines impacted by the GPO. For example, if
the built-in Administrator account has been renamed as
SomeName, then it needs to be renamed that way on all
impacted machines. If local account JohnDoe is to be
an admin on one machine, this cannot be done usless it
will be that way on all machines impacted by that one
GPO. Etc.
However, if you have a uniform deployment, and want
Domain Admins, some custom domain group, the machine
local built-in Administrator, and perhaps some other machine
local accounts to be members of the local Administrators group
and the local accounts are named the same on all machines,
then Restricted Groups will be just what you need. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Iain M" <anonymous@discussions.microsoft.com> wrote in message
news:11f0f01c44236$e7936400$a501280a@phx.gbl...
> Thanks for the reply. Can you explain that in layman's
> terms - I'm a beginner at Win 2003, GPOs and the like.
>
> Iain
>
> >-----Original Message-----
> >If those machines are subject to some GPO(s) you can
> >possibly use Restricted Group definitions, provided that
> >you can specify exactly what the memberships of the
> >machine local groups should be.
> >
> >-- 
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCDBA,  MCSE W2k3+W2k+Nt4
> >"Iain M" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:115b301c44181$fbdb81f0$a501280a@phx.gbl...
> >> How do I assign rights to the local machnie using group
> >> policy ?
> >> For example, when AdminUser logs in to his AD domain
> >> account, I want them to have Administrative rights to
> the
> >> local machine.
> >> When StandardUser logs in to AD, I want them to have
> >> standard user rights to the local machine.
> >>
> >> Thanks for any help.
> >>
> >> Iain
> >
> >
> >.
> >

Relevant Pages

  • Re: Domain Users to have Local Admin rights
    ... all machines that are with scope of the GPO carrying the Restricted ... their local Administrators group. ... We have various admin accounts other then administrator ...
    (microsoft.public.windows.server.security)
  • Re: Group Policy - Pushing out Software
    ... going to VNC into the computer, log on as the local Admin and do my thing". ... I would suspect that you are familiar with 'updates' via GPO. ... I know the way we access users machines using Remote Desktop ... > life easy for 2 administrators keeping 80 users machines updated. ...
    (microsoft.public.windows.server.active_directory)
  • RE: locked out of XP, need file access
    ... The example of the car thief was taken out of proportion by some--Yes ... forgotten the admin password to both my w2k machines at home. ... i think it's more up to the local administrators to try to keep a close eye ...
    (Security-Basics)
  • Re: Restrict logon across OU
    ... Create a GPO at each site and use restricted groups to st up who can log ... on to the machines at this site ... Tomasz Onyszko [MVP] ...
    (microsoft.public.win2000.active_directory)
  • Re: localgroup administrators
    ... to be a local admin on these 5 machines and not the rest and alice to ... local admin only on her machine, ... if poster simply wants to reset the membership ... of the machine local Administrators group on many machines to the ...
    (microsoft.public.windows.group_policy)
Loading