Sign in with
Sign up | Sign in
Your question

Making a Domain Group Local Admins Via Group Policy

Last response: in Windows 2000/NT
Share
Anonymous
February 11, 2005 3:09:10 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

I want to create a Support Engineer group for our support guys, so they can
have local but not domain admin rights.

I would like to do it through group policy by applying it to an OU so that
they have local admin rights to any machines under that OU. How do I do
this ?

I've been adding them to the local Administrators group on each machine by
script, but this is cumbersome and needs to be done every time a new machine
is added to the network. Having this done automatically through Group
Policy would be much tidier.

Details:

Desktop O/S: Windows XP SP2
Server O/S: Windows Server 2003
Active Directory mode: 2003 Native

--
Paul Anderson
IT Support Analyst
East Antrim Institute of Further & Higher Education
Anonymous
February 11, 2005 3:09:11 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

On Fri, 11 Feb 2005 12:09:10 -0000, "Paul Anderson" <paul.anderson@eaifhe.REMOVE_NOSPAM.ac.uk> wrote:

>I want to create a Support Engineer group for our support guys, so they can
>have local but not domain admin rights.
>
>I would like to do it through group policy by applying it to an OU so that
>they have local admin rights to any machines under that OU. How do I do
>this ?
>
>I've been adding them to the local Administrators group on each machine by
>script, but this is cumbersome and needs to be done every time a new machine
>is added to the network. Having this done automatically through Group
>Policy would be much tidier.
>
>Details:
>
>Desktop O/S: Windows XP SP2
>Server O/S: Windows Server 2003
>Active Directory mode: 2003 Native


See tip 5319 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
Anonymous
February 11, 2005 3:09:11 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Paul,

This question is asked at least 10 times a week! ;-)

Please search this NG for 'Restricted Groups'. That is your answer.

And, most people would suggest that normal user account objects are *NOT*
added to the computers local Administrator group. I can sing a song or two
about users deleting their FONTS folder to make room for their music files
or to make sure that only the fonts that they need for a project are
available! I know that this is for a Support Group. Just keep in mind that
for normal users this is a bad idea.

Now, when creating the GPO make sure that you follow the following MSKB
Article: http://support.microsoft.com/?id=320065. It is important that you
do this from a workstation that has the ADMINPAK installed. Even though
this article is for WIN2000 and you have WIN2003 the same concepts apply.
Do it from a workstation or have fun trying to figure things out!

Additionally, be aware that the default behavior is to flush the contents of
the affected computer account objects local Administrators group and replace
it with the group that you specify. You might want to add two groups when
creating the GPO: the Support group that you have created and the Domain
Admins group. There is a fix for this that modifies the default behavior.
Please look at the following MSKB Article:
http://support.microsoft.com/?id=810076. I might stay with the default,
though. This way you know who is a member.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Paul Anderson" <paul.anderson@eaifhe.REMOVE_NOSPAM.ac.uk> wrote in message
news:o ngKKKDEFHA.3732@TK2MSFTNGP14.phx.gbl...
>I want to create a Support Engineer group for our support guys, so they can
>have local but not domain admin rights.
>
> I would like to do it through group policy by applying it to an OU so that
> they have local admin rights to any machines under that OU. How do I do
> this ?
>
> I've been adding them to the local Administrators group on each machine by
> script, but this is cumbersome and needs to be done every time a new
> machine is added to the network. Having this done automatically through
> Group Policy would be much tidier.
>
> Details:
>
> Desktop O/S: Windows XP SP2
> Server O/S: Windows Server 2003
> Active Directory mode: 2003 Native
>
> --
> Paul Anderson
> IT Support Analyst
> East Antrim Institute of Further & Higher Education
>
!