Re: Further Questions on Adding group to local administrators group via GPO
- From: "Henry Craven {SBS-MVP}" <sme@xxxxxxxxxxxxxx>
- Date: Sun, 3 Jun 2007 10:30:11 +1000
Reply on behalf of an associate...
---
There are multiple ways of achieving the result required, and it depends if you want to install it for all users on certain machines or for all machines for certain users.
Assuming it is the former, you need to create a policy and go to the Software section of the machine component and create the install package. One way is to then connect the policy to an OU and move all of the machines to that OU. However a better method is to use security filtering. You would untick the "Apply" setting in the security section for the Authenticated Users, create a new Group "Program A" and add it to the Security for the Policy and give it READ and APPLY authority. You can then connect this policy at the Domain level and only machines that are members of the group will receive the policy.
The two methods are probably similar if you have only one program to install. However if you have 5 different programs the second method is much simpler since you only need 5 groups, compared to a potential 32 OU's to cover all combinations.
If you wanted to install the program for certain Users, then you would create the install package in the User area of the policy and add Users to the group.
I am not sure what is trying to be achieved to give users local admin rights. Firstly, you do not require Local Admin rights to get the installation of the Software to work.. Policies run under the authority of SYSTEM and so and so can do the installation. If you need to add the Domain Group to the Local Admin Group for some other reason, There is a section in Group Policy under Windows Settings/Security Settings that allows you to add Domain Groups (or users) into Local groups automatically, but this is not an "add" function, it is a "replace" function. i.e. The policy will replace all of the existing members of the group with the list defined in the Policy.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
--
Henry Craven {SBS-MVP}
"stjulian" <stjulian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:eldxwNHpHHA.3944@xxxxxxxxxxxxxxxxxxxxxxx
(Small Business Server 2003 R2).
I would like to have a user set up to do software installations on only one set of computers. Not domain wide. He is not allowed to add users to the domain or, really, controll anything else domain-wide. This is just to occasionally add, say, Flash player or other small applications (responsibly of course) to a group of only 6 computers.
In the article referenced below, steps 4-12 show that the application of the group policy needs to be done on each of the workstations.
In my case, I have set up an OU for a remote office under "MyBusiness". I have recreated a global group in that OU ("RemoteOffice Admins") containing the users that will be allowed to log in to the machines as a local admin and moved the computers in that office into the OU.
Is there a way that local admin rights can be assigned to a user (or in this case a group) from the organizational unit on the domain controller? In this way, computers need only be moved into the OU to allow the group (step 3 in Q320065) to be a local admin.
If I try to follow steps 4-12 on the Domain Controller, the GPO seems to be adding my "RemoteOffice Admins" group to the local Administrators group of the Domain Controller.
Also, I hope I am right as to assume that the domain-level policies are sitll applied to that OU, especially the one allowing the Domain Admins access to each of those computers to be accessed by Remote Desktop. I think the default setup for the SBS2003 R2 puts that policy at the domain level. Am I right?
------------------------
Here are the instructions http://support.microsoft.com/kb/320065
Costas
"bennie" <bennie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C07ABCCD-E420-4AC5-9081-558B06590FBD@xxxxxxxxxxxxxxxx
I'm very new to GPO so please bear with me.
How do I add a group I have created in Active Directory to the local
administrators group on a client workstation/s through GPO?
Thanks
.
- References:
- Prev by Date: Re: users folder size
- Next by Date: Re: users folder size
- Previous by thread: Re: Further Questions on Adding group to local administrators group via GPO
- Next by thread: Network adapter keeping on getting ip address when insert cable
- Index(es):
Relevant Pages
|
