Re: Local Admin

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 09/20/04 

Date: Mon, 20 Sep 2004 09:40:51 -0400

Yes, this is the way to do it. You would want to use the Restricted Group
GPO. But, there are two things that you need to be aware of before
continuing:

1) with the Out-of-the-Box configuration the use of this GPO will flush the
current users and groups from the local Administrators group and then place
the group that is your focus in the local Administrators group. So, it is a
'wipe and load'-type situation. I do not know about you but I would really
like the Domain Admins group to be a member of each and every WIN2000 and
WIN XP Pro system in my environment. So, in addition to your 'focus' Group
you might want to include the Domain Admins group.....

2) you really want to pay attention to the warning in step three!

In reference to point 1)....there is a work around. You would need to call
MS-PSS and get both patches ( one for the WIN2000 systems and one for the
WINXP Pro systems ) and install that patch on each and every machine. Once
you do this the processing of the Restricted Groups GPO is altered to simply
add your 'focus' group. So, if Yourdomain\Support and Yourdomain\Domain
Admins and Yourdomain\JBlow are currently members of the local
Administrators group ( either on all or on some of your systems ) they will
remain members. There would simply be a new addition, namely,
Yourdomain\focusgroup.

Also, you might want to do a search through the newsgroups before posting a
question. This is asked quite often. But no biggie.

HTH,

Cary

PS. Here is the link to the patch: http://support.microsoft.com/?id=810076
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:%23utd6zvnEHA.2680@TK2MSFTNGP15.phx.gbl...
> You can do this with the Restricted Groups function of Group Policy:
> -- http://support.microsoft.com/?id=279301
>
>
> --
>
>
> Paul Williams
> _______________________________
> http://www.msresource.net
>
>
> Join us in our free, public forum:
> http://forums.msresource.net
> _______________________________
> "Keith" <@.> wrote in message
news:e4t6KqvnEHA.3876@TK2MSFTNGP15.phx.gbl...
> Is there any way with GPO to make it so that whatever machine a particular
> user/group logonto they are granted local administrator rights?
>
> I don't want to have to go round every machine manually adding them.
>
>
>

Relevant Pages

  • Re: 2003 AD
    ... There is something called 'Restricted Groups' GPO that might help you. ... to certain areas of the registry or to some folder. ... > E-Backoffice require that the user be a member of the local administrators ...
    (microsoft.public.win2000.group_policy)
  • Re: Administering OUs
    ... > eloborate please?. ... restricted groups are proper solution for this problem. ... Restricted groups are defined in the GPO (for example GPO assigned on ... of local administrators group this setting will be forced on all ...
    (microsoft.public.win2000.active_directory)
  • Re: changing the ACLs on the builtin objects
    ... To add members to the local administrators use restricted groups with a GPO, ... Let not domain users decide that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Want to add users to their local Admin group
    ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricted group functionality
    ... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
    (microsoft.public.windows.group_policy)