Re: Add another domain user group to local administrators of all computers in an OU with removing others?

Hello rosevilleca@xxxxxxxxx,

If you have a group "mylocaladmins", which is added to restricted groups, with user1, user2 and user3 you can add or remove accounts to this group without effecting the other users in the group, they will still be local admins.

You will have allways a kind of limitation when working with GPO's, because they can apply to computers or users. But if you have so different needs with separating computers, you have to do a good planning before, what you will achive in for which users/groups. Additional you have to think about, if you have a lot of local admins you can have a lot of more problems.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

On Jul 18, 3:01 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

Hello rosevill...@xxxxxxxxx,

You can add/remove users/groupsinrestrictedgroupsas you like. But if
you only work withgroupsinrestrictedgroups, you can just add/remove
user
to the group in AD you specified. Additional you can always create a
new
GPO for another OU with different accounts/groups.
Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Even if it doesn't remove existing users from the local
administrators, doesn't it "RESTRICT" you from later adding
individual users to that machine's local administrator group? We
will need the flexibility to add other local admin users to specific
computers as needed. On some machines the assigned user will be an
admin on the box and on others, they will not. I have heard the
usingrestricted groupscloses your options.

On Jul 18, 11:57 am, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
Usingrestrictedgroupsproperly doesn't remove anyone from the local
admins group. You are using it incorrectly in forcing only group
members defined in the gpo. See below to learn how to use
correctly.

+++++++++++++++++++++++++++++++++++++++++++++++

computer configuration \ windows settings \restrictedgroups

group = your group to be made local admins
member of = BUILTIN\Administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/libr
ar ...

http://www.microsoft.com/resources/documentation/windows/xp/all/pro
dd ...

There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the
users), go to computer configuration/windows settings/security
settings/restrictedgroups, right click onrestrictedgroupsand select
new group (For the local computers, this group name should be -
administrators) and key in the group you want auto populated.
Select add on the Members of this group and then add the members
you want populated.

Note: Be aware that the higher you place this setting within the
domains group policy the possibility exists it is applied to
machines you may not want it applied to. With this in mind you
should try and avoid this setting at the domain level, with the
exception on the domain admins group. We have some users who are
local admins on machines and for some reason they feel compelled to
remove the domain admins from their local administrators group.
Setting this at the domain level manages these annoying users.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

<rosevill...@xxxxxxxxx> wrote in message

news:81e53be3-bde4-496d-a66c-91e9cdf32eb0@xxxxxxxxxxxxxxxxxxxxxxxxx
co m...

The subject should say
"Add another domain user or group to local administrators of all
computers in an OU WITHOUT removing others?"- Hide quoted text -
- Show quoted text -- Hide quoted text -

- Show quoted text -

This does not seem to also let you add and remove users from specific
computers.

For instance, what if I want domain admins, helpdesk, and desktop
support tobe in the local admins group of all workstations, but
additional individual users to be also be added to certain machines,
but not domain-wide?

This is what the link to the pages posted above show and it does not
sound like it let's me do what we need to do:

"Members of this group – This setting allows you to control the
members of the group that you specify for the policy. The members can
include both user and group accounts. When you configure the members
of a group, it will overwrite the existing membership of the group and
replace the members with those specified within the GPO. If you were
to configure this setting and leave the members blank, then the group
would not have any members after the GPO applied to the computer.
Another indirect benefit of using the Restricted Group setting is that
it will automatically remove any local user accounts that should not
be added to the Administrators group. This typically includes local
user accounts that have been created by the user of the computer, to
bypass domain security."

That really sounds like it will overwrite existing members and not
allow any additional users to be added to some machines and not
others.

If restricted groups were in place and we later needed John Smith to
be an admin on jsmith-desktop, he would need to be added to the
restricted group to get local admin rights on that machine, but then
he would be a local admin on every workstation instead of only that
one.



.

Relevant Pages

  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... Using restricted groups properly doesn't remove anyone from the local admins ... You are using it incorrectly in forcing only group members defined ... Create the gpo in the ou where the Computers reside, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ...  You are using it incorrectly in forcing only group members defined ... Create the gpo in the ou where the Computers reside, ... some users who are local admins on machines and for some reason they feel ... compelled to remove the domain admins from their local administrators group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to create file on network share from ASP.NET
    ... but my point is exactly that both computers ARE ... NOT members of the same domain - one is standalone Win2003 and another is ... Administrators of Unix and Windows domain created for me ... >> asp with password asp which can access shared folder. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Loginscript is lacking credentials.........
    ... "Paul Bergson" wrote: ... overwrite the existing membership of the group and replace the members ... In our company the domain users are local admins on their machines, ... machine is a member of the local administrators group him/herself, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Loginscript is lacking credentials.........
    ... overwrite the existing membership of the group and replace the members ... In our company the domain users are local admins on their machines, ... "Paul Bergson" wrote: ... machine is a member of the local administrators group him/herself, ...
    (microsoft.public.windows.server.active_directory)