Re: Give user Admin rights to all PCs?

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eJDKRJQiHHA.4596@xxxxxxxxxxxxxxxxxxxxxxx

"Cwhitmore" <Cwhitmore@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E8BB52BD-87CF-4B84-8D81-B3242920DC75@xxxxxxxxxxxxxxxx
I would like to setup a user to have local admin rights to every PC in our
agency, but I don't want to include them in the Administrators group on
Active Directory.

With care you can use the GPO Restricted Groups to do this.

You would require (regular Domain Admins, local Adminstrator, and) a
Global Group (say: CompAdmins) you create to be a member of Adminstrators
on ever non-DC or non-Server etc.


Actually a domain local group can also be used.


Place the user in that Group, e.g., CompAdmins.

Is this possible without having to manually add this user to each PC's
local
admin group?

Yes. Restricted Groups. But be careful since this sets the EXACT
membership
of a group -- both positively and negatively, no one can be added or
removed
without the GP updates restoring the restriction set specified.


What the poster should do in their case, provided that there machines
are all at current service pack levels, is

define domain group CompAdmins
if desired, on a GPO that impacts the DCs OU, define a
restricted group for CompAdmins and use the Members
list there to make the desired user account(s) members
else add the desired user accounts to CompAdmins
in a GPO that impacts the desired machines (being very
careful NOT to affect the DCs OU, i.e. not linked to the
domain or the DCs OU) define as a restricted group
Administrators and DO NOT alter the Members list
but DO alter the Member Of list so that it includes the
domain's CompAdmins group

This will add CompAdmins to the machine local Administrators
group without affecting the membership of it in any other way.

Roger


.

Relevant Pages

  • Re: Domain users need access to local computer files
    ... You may use restricted groups in GPO to make them members of local administrators group. ... How do I automate that a group of domain users should get local administrator rights...? ...
    (microsoft.public.windows.server.general)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... The answer indicates that members of restricted groups become ... If you are using Restricted groups, they will remove any other entry ... local admin settings, that is by design. ... Unfortunately it appears when the restricted Groups GPO gets filtered ...
    (microsoft.public.windows.server.active_directory)
  • Re: Want to add users to their local Admin group
    ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricted group functionality
    ... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
    (microsoft.public.windows.group_policy)
  • RE: adding domain users to power users
    ... Create a GPO that uses restricted groups. ... Using the Group Policy Management ... Windows Settings, Security Settings, Restricted Groups. ... Users) Then open that and add whoever you want to be power users on domain ...
    (microsoft.public.windows.server.active_directory)
Quantcast