Re: local admin issues
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxx>
- Date: Sat, 11 Apr 2009 11:35:15 -0700
You can build the GPO from any computer that already has GPMC installed.
The built-in local groups (e.g. Administrators, Power Users) are present and have the same SID on all Windows computers. It doesn't matter which computer you build the GPO on, the local groups will be populated as specified in the Restricted Groups settings.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:e99pVIfuJHA.1304@xxxxxxxxxxxxxxxxxxxxxxx
"Berni" <Berni@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0EE739A0-0AAE-4F73-9B18-E7745FA1D7B8@xxxxxxxxxxxxxxxxHi,
I've got Two questions.
1st question:
Is there a way to prevent domain admins to be removed from the local admins
group via gpo.
In our case we've got some domain users which are also in the local admins
group and they can (if they want to) delete the domain admins from this
group.
This would prevent the domain admins from accessing this computers vor
administrative purposes...
I know, having domain users as local admins is not the best practice but in
some case of ours it is necessary.
Is there a way to prevent the domain admins group to be removed, or is there
any setting via gpo to force domains admins to be in the local admins group,
or is there another best practice?
2nd Question:
Is there a way to add a domain user via gpo or to the local admins group of
specific computers?
This would be very helpfull, we need a user which is a local admin on some
computers but it should not be a member of the domain admins group, and the
local assigment of the user on each computer would be quite inefficient.
Or is there another solution for this topic?
Thanks in advance,
Best regards
Berni
Bernie,
I agree with everyone, your best option is using Restricted Groups. The following is my blog with a step by step. I hope it helps.
======================================================================================================
======================================================================================================
Restricted Groups
(You'll need to do this from an XP machine)
Going on memory... forgive me if I missed a step...
In AD, create an OU and call it Restricted Groups (or whatever you want to call it)
In AD, create a group and call it Local Power Users Group
Create another and call it Local Admin Users Group
Logon as domain admin on an XP machine
Install the GPMC on an XP machine
Open the GPMC and navigate to the OU you created above
Create and link a new GPO to the OU
Right-click on it and choose Edit
Navigate to the Computer section, and Restricted Groups
Choose new group, browse to the domains' Local Power Users Group and add it to the local XP machine's groups, and choose Power Users
Choose new group, browse to the ldomain's Local Admin Users Group and add it to the local XP machine's groups and choose Administrators
Move the computer to the OU
Add the user to the Local Power Users Group in AD that you created above
On the machine where the user is logged on, have him logoff and logon
May have to have him do it twice
In the XP's computer Management console, look at the Local Power Users and Administrators Groups and see if the Domain\Local Power Users Group is added to the machine's local Power Users group and the Local Admin Users Group is added to the machine';s local Administrators group. If so, they will show up as grayed out, meaning the policy is working. If you added the user to the domain's Local Power Users Group, then the user should now be able to perform actions of a Power User.
Using Restricted Groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Restricted groups are made for that:
http://www.frickelsoft.net/blog/?p=13
You can also use Group Policy Preferences:
You can take advantage of the Local Users and Groups settings of Group
Policy Preferences, which gives you an option to add the current user to an
arbitrary local group (including local Administrators). For more info, refer
to http://technet.microsoft.com/en-us/library/cc731972.aspx
======================================================================================================
======================================================================================================
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
.
- Follow-Ups:
- Re: local admin issues
- From: Ace Fekay [Microsoft Certified Trainer]
- Re: local admin issues
- References:
- local admin issues
- From: Berni
- Re: local admin issues
- From: Ace Fekay [Microsoft Certified Trainer]
- local admin issues
- Prev by Date: Re: AD 2003 Adv Server- Access Denied Problem-Please Help
- Next by Date: Re: local admin issues
- Previous by thread: Re: local admin issues
- Next by thread: Re: local admin issues
- Index(es):
Relevant Pages
|
