RE: Automating Local Computer Admin Rights
- From: one3cap <one3cap@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 16:36:03 -0800
ok ya go to restricted group but this is going to need to be a gpo attached
to a OU and have computer accounts in there and when the first box opens up
either browse for the group or type in administrators now the confusing box
opens up up on the top add your special group and then add domain admins
group because by default they are in the local admin group on each local
computer. if you just add your special group then that group will be the only
members of the administrators group on the local machine. after you add that
maybe do a gpupdate /force on a machine it will proably ask you to reboot
because it found some computer gpo settings and after that go to computer
management on the local machine then go to users and group choose groups then
choose administrators and you should see all those groups on each computer in
that OU that you have computer accoutns in.....i have done it many times i
know for a fact it works. please let me know what happens i am a noobie
poster here.
"xJayboyx" wrote:
Thank you for the responses. Now this can be done at any OU level correct?? I.
have setup a test OU just for things like this and I made the change that you
told me to make but it hasn't done anything. I'm not sure if I have it set
right or not.
--
Here were my steps. 1.) Right click restricted Groups and click Add Group.
2.) Now here is where I up in the Group that I have created that I want to
become a local admin of all PC's under the OU. After that point is where I
kindof get confused. The top section says "Member of this group:" I added the
group Administrators thinking it wanted the Local Group. Then at the bottom
section it has "This group is a member of:" and there is nothing in there..
Not sure If I need something there or not..
Did some google searching as well and didn't come up with a solution.
Thanks Again
"one3cap" wrote:
yes there is a way using a GPO. computer config-security and then restricted
groups you can add a group local administrators group on each workstation
without touching each workstation. but when you use restricted group and lets
say you add your 1 group you created to the administrators group on the local
machine you will wipe out all other memberships to the local admins group
like the domain admins etc.. so you must add all groups in there that you
want to be admins to the local machines not just your one group unless you
only want 1 group to be in the administrators group of the local
machine...make sense, i hope.
"xJayboyx" wrote:
I work for a bank that currently has Six Banks under the holding company. So
there is approximately 10 or so “Administrators” for our WAN. Now we have had
examiners chewing us out for having to many users in the “Domain Admins”
group. So we have went ahead and created a different group that basically has
the same amount of right as the Domain Adims , but this way we don’t have the
“Domain Admins” group full of users.
Now my Question Is: Is there a way in a Policy of some sort that I can make
this new Group that was created a local Admin for each PC without me having
to touch every single computer??
- Thanks for any input.
Jason
- Follow-Ups:
- RE: Automating Local Computer Admin Rights
- From: xJayboyx
- RE: Automating Local Computer Admin Rights
- References:
- RE: Automating Local Computer Admin Rights
- From: xJayboyx
- RE: Automating Local Computer Admin Rights
- Prev by Date: RE: Upgrading from Win2000 domains to Win2003 domains: ROLL BACK !
- Next by Date: Re: Hiding Users in AD
- Previous by thread: RE: Automating Local Computer Admin Rights
- Next by thread: RE: Automating Local Computer Admin Rights
- Index(es):
Relevant Pages
|
