Mazdajai
asked on
Create Domain Group with Local Administrator Right
How can I create a domain group with local administrator rights, so that, if a user needs administrative right to the local server, I can simply add him or her to the group?
For member servers and workstations, absolutely. for Domain Controllers. No. Domain Controllers do not have local account databases.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
mkline71,
That sounds like what I am looking for, I will let you know how it goes. Thanks.
That sounds like what I am looking for, I will let you know how it goes. Thanks.
ok, just test first, get a feel for it.
You can use restricted groups. Have a look at:
http://www.windowsecurity.com/articles/using-restricted-groups.html
http://www.windowsecurity.com/articles/using-restricted-groups.html
ASKER
I have created the restricted group and added a member to the restricted group.
However, the member does not appear to have admin rights. Under the server > local administrators group, I still only see local administrator and Domain\Domain admin. Anything I should check?
However, the member does not appear to have admin rights. Under the server > local administrators group, I still only see local administrator and Domain\Domain admin. Anything I should check?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1) GPO is on domain policy
2) I understand I cannot add users directly. See printscreen.
Untitled.jpg
2) I understand I cannot add users directly. See printscreen.
Untitled.jpg
Yes. Correct. Go ahead.
ASKER
I do a net user on the member that has been added to the restricted group, I do not see him in the "administrators" group, nor it has administrator right to the local machine...
So it looks like you populated both "Members of this group" & This group is a member of
So if you just want to add that localadmn group to what is there use the bottom "this group is a member of"
also I'd first test on an OU, don't test on domain policies until you know it works (lab would be best)
Thanks
Mike
restricted-groups1.jpg
So if you just want to add that localadmn group to what is there use the bottom "this group is a member of"
also I'd first test on an OU, don't test on domain policies until you know it works (lab would be best)
Thanks
Mike
restricted-groups1.jpg
ASKER
I did, anyway I can test and validate the result?
see this - https://www.experts-exchange.com/questions/23006266/How-to-make-a-domain-user-local-administrator-of-windows-2003-Server.html
"log on as admin to the local computer that you want to give admin access to.
Add the user to the Local Administrators Group
Right click on "My computer" and select "manage"
Expand local users and groups
Expand groups
Expand the administrators group and click ADD
Enter the domain user eg domain\username
and OK all the way out"
"log on as admin to the local computer that you want to give admin access to.
Add the user to the Local Administrators Group
Right click on "My computer" and select "manage"
Expand local users and groups
Expand groups
Expand the administrators group and click ADD
Enter the domain user eg domain\username
and OK all the way out"
ASKER
There are 500 servers, adding and removing users via gui or command line is not feasible.
Someone has suggested Restricted Group, this seems like what I am looking for but I am having problem with it.
Someone has suggested Restricted Group, this seems like what I am looking for but I am having problem with it.
have you thought about scripting the command over the network, I'm sure if you add a tag for vbscript and request attention, someone would be able to help you write it.
@ Mazdajai :
What kind of problem you face in using Restricted Groups?
What kind of problem you face in using Restricted Groups?
ASKER
The restricted group did not show up in the local administrator group or the users that I have put in the restricted group does not have admin rights.
I have put in a AD group in the restricted group, AD group contain test users. The GPO is linked to a OU. See post id 36243029.
I have put in a AD group in the restricted group, AD group contain test users. The GPO is linked to a OU. See post id 36243029.
You have followed right procedure. Now, on client side check that GPO is applied. Run rsop.msc to check the GPO applied correctly and does it show the same group as you have defined?
gpresult /r will show you as well all the applied policies
ASKER
qcuser is added to LocalAdm group -
Full Name qc
Local Group Memberships *Staff
Global Group memberships *Domain Users *LocalAdm
Should he be in the Administrator group?
Applied Group Policy Objects
-----------------------------
NoUpdate
[b] Test GPO[/b]
Domain Policy
Local Group Policy
Full Name qc
Local Group Memberships *Staff
Global Group memberships *Domain Users *LocalAdm
Should he be in the Administrator group?