Further Questions on Adding group to local administrators group via GPO

(Small Business Server 2003 R2).

I would like to have a user set up to do software installations on only one
set of computers. Not domain wide. He is not allowed to add users to the
domain or, really, controll anything else domain-wide. This is just to
occasionally add, say, Flash player or other small applications (responsibly
of course) to a group of only 6 computers.

In the article referenced below, steps 4-12 show that the application of the
group policy needs to be done on each of the workstations.

In my case, I have set up an OU for a remote office under "MyBusiness". I
have recreated a global group in that OU ("RemoteOffice Admins") containing
the users that will be allowed to log in to the machines as a local admin
and moved the computers in that office into the OU.

Is there a way that local admin rights can be assigned to a user (or in this
case a group) from the organizational unit on the domain controller? In this
way, computers need only be moved into the OU to allow the group (step 3 in
Q320065) to be a local admin.

If I try to follow steps 4-12 on the Domain Controller, the GPO seems to be
adding my "RemoteOffice Admins" group to the local Administrators group of
the Domain Controller.



Also, I hope I am right as to assume that the domain-level policies are
sitll applied to that OU, especially the one allowing the Domain Admins
access to each of those computers to be accessed by Remote Desktop. I think
the default setup for the SBS2003 R2 puts that policy at the domain level.
Am I right?


------------------------
Here are the instructions http://support.microsoft.com/kb/320065

Costas

"bennie" <bennie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C07ABCCD-E420-4AC5-9081-558B06590FBD@xxxxxxxxxxxxxxxx
I'm very new to GPO so please bear with me.

How do I add a group I have created in Active Directory to the local
administrators group on a client workstation/s through GPO?

Thanks



.

Relevant Pages

  • Re: Granting Domain Users Local Admin Rights
    ... login is added to the local PC with administrator rights. ... haven't been added as a local admin for local admin rights are ... Add the Interactive Users group as to the local admin group ... conference room computers and training room computers usually include ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SBS2003 Client Setup Wizard Problem
    ... I WAS NOT happy with adding users to the local admin group even for first ... they will ask for User Account Control for permission to connect to the domain. ... this user will be added to local admin user group on the client computers. ...
    (microsoft.public.windows.server.sbs)
  • Re: Domain account - rights to install apps on all workstation in
    ... And when you say "all computers" hopefully you mean NON-DCs ... account to the local Admin group? ... You can use Restricted Groups in a GPO for actually putting a domain ... group in the local Administrators groups of the computers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... Maybe you should use some tools like filemon and regmon to find the needed rights for your software to run them without being local admin. ... because they can apply to computers or users. ... Select add on the Members of this group and then add ... machines you may not want it applied to. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Client Setup Wizard
    ... I'm running into a problem on about 4 of the computers. ... At Login (when client setup wizard script runs) on only a few of the ... If I change the the user to a local admin then I don't receive the ... Making users part of the local admin group is unacceptable. ...
    (microsoft.public.windows.server.sbs)