Re: Adding User ID in Local Admin Group using Group Policy
- From: PC <PC@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 4 Oct 2006 00:26:02 -0700
Sorry, I did not know this. I did lots of painful research about this and
finally performed the workaround I posted in this article for our
organization. Of course, this was prior to SP2 when this could only be
accomplished with the undesirable restricted groups/members and I never went
back and relooked at it.
Thanks!
"Roger Abell [MVP]" wrote:
.
"PC" <PC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7101673-E4D9-4B30-84D3-E355DFC6CCE3@xxxxxxxxxxxxxxxx
This has been asked a million times and there is no clean solution, but
this
does work.
If you want to add and RESTRICT (unable to modify the membership locally)
of
the administrators group, use restricted groups. However, most people
don't
desire this behavior because it removes everyone else from the local
administrator's group.
Ummm - perhaps you should read the KB to which I provided a link
http://support.microsoft.com/kb/810076
Notice that, applied to case of this poster, one would define a
domain group, such as "ClientAdm", and then in a GPO with
the impacted client machines in its scope define a restricted
group definition for ClientAdm. In this restricted group definition
one would not (need to) use the Members list, but would add
Administrators to the Member-Of list.
The effect is that ClientAdm is added to the Administrators group
on machines in scope of the GPO, and no members already in
the Administrators group see any change (there remain members).
This solution became available with W2k Sp4 and Xp Sp2.
Roger
If you just want to add to the local administrators group and leave
existing
membership alone, use GP to run a computer startup script (NOT USER), and
only give domain computers access to the startup script file.
In computerstartupscript.cmd place:
net localgroup Administrators /add "domain\WKST Admin (SEC)". Please note
the limitation (undocumented bug) of 13-15 characters or so in group name
length for groups maniupulated using the net localgroup tool. Overwise it
will silently fail if the group name is too long even though it is valid
in
Windows. Use a short group name.
This global group will now be a local admin on all your machines on
reboot.
You can simply add desired users to the global group in Active Directory.
Another useful one -- reset the local admin password while you're at it,
but
be sure to restrict access to the login script to domain computers if you
do
this, otherwise it's not of much use!
net user administrator newlocaladminpasswordhere
"Ahmad M. Zahoory" wrote:
Hi,
We have ACtive Directory 2003 & also implemented the Group Policy.
We want to add one Specific User ID on all the workstation's Local Admin
(but not using the domain admin).
Pl. help us how we can implement this.
--
Regards,
Ahmad M. Zahoory
E-mail: ahmad.zahoory@xxxxxxxxx
- References:
- Re: Adding User ID in Local Admin Group using Group Policy
- From: Roger Abell [MVP]
- Re: Adding User ID in Local Admin Group using Group Policy
- Prev by Date: Disable
- Next by Date: Re: Create an Outlook profile using GPO
- Previous by thread: Re: Adding User ID in Local Admin Group using Group Policy
- Next by thread: AD 2003 + 2000 and criteri di protezione
- Index(es):
Relevant Pages
|
