Re: Local admin through group policy and keep admin on local machine?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 22 Mar 2007 08:34:45 -0700
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23Pqo5$IbHHA.3284@xxxxxxxxxxxxxxxxxxxxxxx
BUILTIN\Administrators - ?
I don't see that as a good idea at first glance. Have you used that
setting in the past?
Works like a champ - post W2k3 SP4, XP SP2, W2k3 SP1 clients of the GPO.
We use it to provision for our client system support unit's subsets of
people.
In case of poster, to do all from client side sounds like they would have to
have a number of GPOs that each target one machine (for the per machine
unique domain account that ought be member in addition to the uniform group)
Roger
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:O7hbhLIbHHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
You could use the restricted user group gpo setting
computer configuration \ windows settings \ restricted groups
group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx
There is absolutely nothing that has to be done on the client side.
Create the gpo in the ou where the Computers reside (NOT the users), go
to computer configuration/windows settings/security settings/restricted
groups, right click on restricted groups and select new group (For the
local computers, this group name should be - administrators) and key in
the group you want auto populated. Select add on the Members of this
group and then add the members you want populated.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Kevin Rhodes" <KevinRhodes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1E4FAEDB-40EC-4196-8A25-899DA211AF5C@xxxxxxxxxxxxxxxx
I have created a local admin group policy giving a group admin rights
over an
OU (this is to be for our help desk). Some of our software programs
require
users to have local admin access as well (so I give it to them through
their
domain account on the local PC-I don't want to add them to help desk
group
and give them local admin on all the OU PCs). The problem is that the
following day the admin account on the local PC is automatically removed
from
the list of administrators. I have this set up in a beta environment so
we
don't have to go to each machine, each day, to add them back in. Any
ideas on
how to block this? I have tried to turn "no override" on in the GP
options,
but this too disappears the following day. Is there anyway I can speed
up
whatever cycle time it is on so that I don't have to wait a day to see
if it
works? (I always do a forced update after I make changes). Thanks in
advance.
.
- References:
- Re: Local admin through group policy and keep admin on local machine?
- From: Paul Bergson [MVP-DS]
- Re: Local admin through group policy and keep admin on local machine?
- From: Al Mulnick
- Re: Local admin through group policy and keep admin on local machine?
- Prev by Date: Re: problem with the master browse
- Next by Date: RE: Replication error
- Previous by thread: Re: Local admin through group policy and keep admin on local machine?
- Next by thread: Re: Local admin through group policy and keep admin on local machine?
- Index(es):
Relevant Pages
|
