Re: How to add a domain user to local administrator group?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Lisa,

As Jorge warned (and for anyone who thinks to implement Restricted Groups
without reading the referenced articles) the GPO overwrites the entire list
rather than just adding to it. This can result in denying admin privileges
to the domain administrators group.

I usually find it make sense to create a test OU with 2-3 computers in it to
test the effects of changing the Restricted Groups policy so you can be sure
it is working as intended before pushing it to the rest of the domain/ OU. I
would also suggest that you consider having a separate GPO for just the
restricted groups if you are in an environment that heavily uses GPOs. I had
adding the overhead of an additional policy, but if you have many overlapping
policies, you can sometimes get into trouble if you move policies or
workstation accounts around only to find that they have fallen out of scope
of the Restricted Group policy. In a smaller environment, it isn't as
important.

Have a great weekend.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Lisa" wrote:

Thank you so much!

"Jorge Silva" wrote:

Hi
Create and link a GPO to the OU where the workstations are. Then use
Restriction Groups Policy to make that group or user member of the Local
administrators at Workstations.
Make sure that you understand how Restriction Group Policy works before
implementing.
http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
http://support.microsoft.com/kb/810076

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"Lisa" <Lisa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:97C93FE0-66C2-48A2-8C66-20ED2E42C0B3@xxxxxxxxxxxxxxxx
Hi,

I have about 300 workstations in my domain. I like to add a domain user to
the local administrator group for all workstations. It's time consuming to
add the user to those workstations one by one, how can I have it done in
an
easy way?

Thank in advance!

Lisa




.

Relevant Pages

  • Re: Want to add users to their local Admin group
    ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricted group functionality
    ... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
    (microsoft.public.windows.group_policy)
  • RE: adding domain users to power users
    ... Create a GPO that uses restricted groups. ... Using the Group Policy Management ... Windows Settings, Security Settings, Restricted Groups. ... Users) Then open that and add whoever you want to be power users on domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2003 AD
    ... There is something called 'Restricted Groups' GPO that might help you. ... to certain areas of the registry or to some folder. ... > E-Backoffice require that the user be a member of the local administrators ...
    (microsoft.public.win2000.group_policy)
  • Re: Removing domain local groups from Wind XP local administrators group
    ... all workstations without using the gpupdate at each workstations? ... > Look at the "restricted groups" feature under security settings in a gpo. ... >> or a script to add to the startup script that will automate this, ...
    (microsoft.public.win2000.group_policy)