RE: Automating Local Computer Admin Rights

sorry i am at work and was typing really fast as far as the it staff group
add users to that group you cannot use the %username% just add the group off
users.

"one3cap" wrote:

i think i might understand your last question. when you go to restricted
groups the first box that pops up add administrators. then the confusing box
that you were talking about where it had the top and bottom selection. in the
first box add your group of whatever it was 11 admins but what you really
need to do is create a security group in active directory and name it like
"it staff" or something like that. now in that top box add that group, then
add domain admins because they are there by deafult and add adminstrators. ok
now after you refresh that policy and reboot the machine when you go in to
computer managment and users and groups click on groups and choose
administrators group you should see "it staff" with all your 11 or whatever
users were in that group. then domain adminis and administrator. but be
careful you will wipe all the exsisting members of the admins group from the
local machine and only the people and groups you added in the restricted
groups are going to be admins. just apply that to a child OU of computers and
it will not trickle down. but use gpmc it is really good for stuff like rsop
and to see what OU are getting which GPO's reply back

"one3cap" wrote:

to my understanding if you link a GPO to a child OU and not the parent OU the
gpo settings will not tricly down or inherit the settings just from a child
OU. you can test this with child OU's of your own. use the gpmc utitly and
create a parent OU and a couple of childs. link a OU to the parent OU AND you
will see the GPO inherit to the childs by going to the inherit tab on the
right and viewing what GPO's are applied to each child OU, now try to link a
GPO to a higher Child OU in the same OU. and now look at that lower child OU
and see what policies that lower child OU inherited.....it did not inherit
the GPO. only GPO's linked to parent OU'S trickle down to the child's on ly
in that OU. now i didnt quite understand your last post let me read it again.
"xJayboyx" wrote:

Hello, Sorry to be a pain, but I discoverd that we will have another major
issue if I implement this. At this point we give the personal domain user of
the PC administrator rights. How would I go about that?? I'm thinking I'm
gonna be screwed with this one?? There wouln't be anything I can do with
%username% is there?? I really don't want to touch eveyone of these machines.
Again thanks for your help..

Jason

"xJayboyx" wrote:

Thank you very much.. I got it to work on my test OU. Now one last question.
I created the GPO on a test OU that had the computer right in that OU.
Now how my setup is I have a Parent OU of "NFSB" Under that I have a Users
OU and a Computers OU -- Then under thouse I have the name of the BRANCH..
Then the computers are under the correct branch.. Now will I be safe and putt
this on the "COMPUTERS" OU and it will trickle down into the child OU's
correct??
Again you were very help full..

Thank You..

"one3cap" wrote:

ok ya go to restricted group but this is going to need to be a gpo attached
to a OU and have computer accounts in there and when the first box opens up
either browse for the group or type in administrators now the confusing box
opens up up on the top add your special group and then add domain admins
group because by default they are in the local admin group on each local
computer. if you just add your special group then that group will be the only
members of the administrators group on the local machine. after you add that
maybe do a gpupdate /force on a machine it will proably ask you to reboot
because it found some computer gpo settings and after that go to computer
management on the local machine then go to users and group choose groups then
choose administrators and you should see all those groups on each computer in
that OU that you have computer accoutns in.....i have done it many times i
know for a fact it works. please let me know what happens i am a noobie
poster here.

"xJayboyx" wrote:

Thank you for the responses. Now this can be done at any OU level correct?? I
have setup a test OU just for things like this and I made the change that you
told me to make but it hasn't done anything. I'm not sure if I have it set
right or not.
--
Here were my steps. 1.) Right click restricted Groups and click Add Group.
2.) Now here is where I up in the Group that I have created that I want to
become a local admin of all PC's under the OU. After that point is where I
kindof get confused. The top section says "Member of this group:" I added the
group Administrators thinking it wanted the Local Group. Then at the bottom
section it has "This group is a member of:" and there is nothing in there..
Not sure If I need something there or not..

Did some google searching as well and didn't come up with a solution.

Thanks Again

"one3cap" wrote:

yes there is a way using a GPO. computer config-security and then restricted
groups you can add a group local administrators group on each workstation
without touching each workstation. but when you use restricted group and lets
say you add your 1 group you created to the administrators group on the local
machine you will wipe out all other memberships to the local admins group
like the domain admins etc.. so you must add all groups in there that you
want to be admins to the local machines not just your one group unless you
only want 1 group to be in the administrators group of the local
machine...make sense, i hope.

"xJayboyx" wrote:

I work for a bank that currently has Six Banks under the holding company. So
there is approximately 10 or so “Administrators” for our WAN. Now we have had
examiners chewing us out for having to many users in the “Domain Admins”
group. So we have went ahead and created a different group that basically has
the same amount of right as the Domain Adims , but this way we don’t have the
“Domain Admins” group full of users.

Now my Question Is: Is there a way in a Policy of some sort that I can make
this new Group that was created a local Admin for each PC without me having
to touch every single computer??

- Thanks for any input.


Jason

.

Relevant Pages

  • RE: Automating Local Computer Admin Rights
    ... groups the first box that pops up add administrators. ... add domain admins because they are there by deafult and add adminstrators. ... gpo settings will not tricly down or inherit the settings just from a child ... members of the administrators group on the local machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Administrator privs on Client
    ... It is fairly normal to restrict admin access to SQL Server to only ... Domain Admins is added to a machine's Administrators ... I have an SQL server on my domain, I have to login as the local sql ...
    (microsoft.public.windows.group_policy)
  • Re: Weird security problem in my WIn2K domain
    ... Keep in mind that enterprise admins group has no administrative powers on ... Another thing to try is to create a new account ... add that account to the local administrators ... enable auditing of account logon events in Domain Controller Security Policy ...
    (microsoft.public.windows.server.security)
  • Re: Local Logon To Domain Controller
    ... That dose this administrators out to PCs have to do? ... PC Admins or what ever you want. ... >>> Server machine itself. ... >>logon locally on DCs. ...
    (microsoft.public.win2000.active_directory)
  • Re: Super Admin Account
    ... "Super Admin" account? ... Enterprise Admins ... This group is automatically added to the Administrators group in every ... This group has complete control over all domain controllers and all ...
    (microsoft.public.windows.server.active_directory)