This can be done easily via GPO

From: MartinHTN (m_at_ht.n)
Date: 09/20/04 

Date: Mon, 20 Sep 2004 09:18:51 -0400

Hello Keith:

This is very easy to do and it can be done with a GPO setting. See my
personal notes below.

. You can restrict membership of local groups on computers in an OU. For
example, you want to restrict the local Administrators group on all Windows
2000/2003/XP servers and workstations in the Boston OU. Edit the GPO for
that OU > go to Computer Configuration\Windows Settings\Security
Settings\Restricted Groups > add Administrators as a restricted group and
allow only MyDomain\Domain Administrators and MyDomain\Boston Admins to be
members. Whenever the GPO is applied (either at startup or at the designated
GP refresh interval) it will remove other members of the local
Administrators group besides the two groups that you allowed as members. If
the groups are not already members, they will be added as members. Note that
the local Administrator account would not be removed from the Administrators
group via this GPO setting.

One thing I noticed with a Windows 2000 Professional SP4 client was that the
changes I made to this GPO setting did not take effect even if I rebooted
the computer twice! I had to actually log on as a user before the change
took effect. This is kind of strange because the settings are made in the
Computer Configuration section of the GPO and the GPO applies to the OU that
the computer is in - the user was in a different OU.

Regards,
Martin

"Keith" <@.> wrote in message news:e4t6KqvnEHA.3876@TK2MSFTNGP15.phx.gbl...
> Is there any way with GPO to make it so that whatever machine a particular
> user/group logonto they are granted local administrator rights?
>
> I don't want to have to go round every machine manually adding them.
>

Relevant Pages

  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • Re: Domain Users to have Local Admin rights
    ... members inside the Restricted Group, but it still doesn't wanna work. ... all machines that are with scope of the GPO carrying the Restricted ... their local Administrators group. ... group you define a Restricted Group definition, ...
    (microsoft.public.windows.server.security)
  • Re: Loginscript is lacking credentials.........
    ... of that OU should be added to the local administrators group of the machine ... this overwrites the other members of the ... When I try the "Startup Script" approach, using exactly the code that you ... The GPO runs fine but there has been no changes to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Loginscript is lacking credentials.........
    ... of that OU should be added to the local administrators group of the ... this overwrites the other members of the ... When I try the "Startup Script" approach, using exactly the code that you ... The GPO runs fine but there has been no changes to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Want to add users to their local Admin group
    ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
    (microsoft.public.windows.server.active_directory)