RE: Automating Local Computer Admin Rights

Hello, Sorry to be a pain, but I discoverd that we will have another major
issue if I implement this. At this point we give the personal domain user of
the PC administrator rights. How would I go about that?? I'm thinking I'm
gonna be screwed with this one?? There wouln't be anything I can do with
%username% is there?? I really don't want to touch eveyone of these machines.
Again thanks for your help..

Jason

"xJayboyx" wrote:

Thank you very much.. I got it to work on my test OU. Now one last question.
I created the GPO on a test OU that had the computer right in that OU.
Now how my setup is I have a Parent OU of "NFSB" Under that I have a Users
OU and a Computers OU -- Then under thouse I have the name of the BRANCH..
Then the computers are under the correct branch.. Now will I be safe and putt
this on the "COMPUTERS" OU and it will trickle down into the child OU's
correct??
Again you were very help full..

Thank You..

"one3cap" wrote:

ok ya go to restricted group but this is going to need to be a gpo attached
to a OU and have computer accounts in there and when the first box opens up
either browse for the group or type in administrators now the confusing box
opens up up on the top add your special group and then add domain admins
group because by default they are in the local admin group on each local
computer. if you just add your special group then that group will be the only
members of the administrators group on the local machine. after you add that
maybe do a gpupdate /force on a machine it will proably ask you to reboot
because it found some computer gpo settings and after that go to computer
management on the local machine then go to users and group choose groups then
choose administrators and you should see all those groups on each computer in
that OU that you have computer accoutns in.....i have done it many times i
know for a fact it works. please let me know what happens i am a noobie
poster here.

"xJayboyx" wrote:

Thank you for the responses. Now this can be done at any OU level correct?? I
have setup a test OU just for things like this and I made the change that you
told me to make but it hasn't done anything. I'm not sure if I have it set
right or not.
--
Here were my steps. 1.) Right click restricted Groups and click Add Group.
2.) Now here is where I up in the Group that I have created that I want to
become a local admin of all PC's under the OU. After that point is where I
kindof get confused. The top section says "Member of this group:" I added the
group Administrators thinking it wanted the Local Group. Then at the bottom
section it has "This group is a member of:" and there is nothing in there..
Not sure If I need something there or not..

Did some google searching as well and didn't come up with a solution.

Thanks Again

"one3cap" wrote:

yes there is a way using a GPO. computer config-security and then restricted
groups you can add a group local administrators group on each workstation
without touching each workstation. but when you use restricted group and lets
say you add your 1 group you created to the administrators group on the local
machine you will wipe out all other memberships to the local admins group
like the domain admins etc.. so you must add all groups in there that you
want to be admins to the local machines not just your one group unless you
only want 1 group to be in the administrators group of the local
machine...make sense, i hope.

"xJayboyx" wrote:

I work for a bank that currently has Six Banks under the holding company. So
there is approximately 10 or so “Administrators” for our WAN. Now we have had
examiners chewing us out for having to many users in the “Domain Admins”
group. So we have went ahead and created a different group that basically has
the same amount of right as the Domain Adims , but this way we don’t have the
“Domain Admins” group full of users.

Now my Question Is: Is there a way in a Policy of some sort that I can make
this new Group that was created a local Admin for each PC without me having
to touch every single computer??

- Thanks for any input.


Jason

.

Relevant Pages

  • RE: Automating Local Computer Admin Rights
    ... ok ya go to restricted group but this is going to need to be a gpo attached ... members of the administrators group on the local machine. ... become a local admin of all PC's under the OU. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group member of another group
    ... Servers cannot support nested groups. ... I already have the local admin group added to ... group to the administrators group. ... You apparently have added a second domain group as a member of the local ...
    (microsoft.public.windows.server.active_directory)
  • RE: Automating Local Computer Admin Rights
    ... members of the administrators group on the local machine. ... become a local admin of all PC's under the OU. ... section it has "This group is a member of:" and there is nothing in there.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group member of another group
    ... We are currently running in Windows 2000 mixed mode. ... I already have the local admin group added to the ... group to the administrators group. ... You apparently have added a second domain group as a member of the local ...
    (microsoft.public.windows.server.active_directory)
  • RE: Automating Local Computer Admin Rights
    ... become a local admin of all PC's under the OU. ... section it has "This group is a member of:" and there is nothing in there.. ... say you add your 1 group you created to the administrators group on the local ... like the domain admins etc.. ...
    (microsoft.public.windows.server.active_directory)