Solved

Active Directory: Adding domain user into local admin group remotely

Posted on 2004-08-28
22
600 Views
Last Modified: 2010-04-13
Situation:  My company is using applications that require the user to have local admin rights.  Therefore, I have to add domain users into the local PC administrators group.

Question:  Is there a way to do this remotely via AD, GPO, etc., so that I don't have to go to each PC and manually add the domain usernames into the local PC administrators' group?

Thanks.
0
Comment
Question by:halfondj
  • 11
  • 8
  • 3
22 Comments
 
LVL 9

Accepted Solution

by:
jdeclue earned 300 total points
ID: 11920693
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21103634.html

Please see this post, it explains how to set local groups from GPO... let me know if youi need help with this.

J
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11920710
Windows 2003 Creating and editing group policy

Group policies can be applied on a domain or an Organisational Unit, to apply a group policy in a 2000/2003 domain environment, do the following.

On a domain controller open "Active directory Users and computers"

NOTE: As said above you can apply a GP to an OU in this instance we will deal with a domain GP, if you are concerned with a GP for an OU insert the "OU name" instead of the "Domain Name"

1. Locate the domain (top of the Tree) and right click it, then select "Properties"
2. Select the group policy Tab.
3. You will see the Default domain policy (and any other policies applied at this level)
4. You can create another domain policy by clicking "New" giving it a name and configuring it"
5. Ensure the default domain policy is highlighted and select "Edit" (unless you are working on another policy)
6. The Group policy object editor will open.
7. You can now edit the policy and close the editor when you are finished.
8. Back in the domain properties click "apply" and "OK"

Troubleshooting Group Policy in Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2&displaylang=en

Group Policy Infrastructure White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en

to add domain users to LOCAL administrators look in the following location
Computer configuration>Windows settings>Security settings>Restricted groups

add administrators then on the members tab put in domain users


0
 

Author Comment

by:halfondj
ID: 11920711
Excellent.  That's exactly how I was doing it yesterday, but I didn't get a chance to test what I did.  Also, I wanted to confirm that I was doing it correctly.

Thanks.
0
 

Author Comment

by:halfondj
ID: 11920724
Thanks PeteLong.  I saw the previous answer first.  I owe you points :).
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11920775
Thats OK dont worry about it :) Glad you are sorted - see you in your other Q :)

Pete
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11921275
Thank Yo... halfond... glad too see you out here on a Saturday Pete! ;)

J
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11922106
just checking in :)
0
 

Author Comment

by:halfondj
ID: 11922147
I certainly appreciate the replies that you gave me.  I look forward trying what you suggested on Monday.

Thanks again.
0
 

Author Comment

by:halfondj
ID: 11930757
I tried the restricted groups recommendation and it did not work.  The only way I found that the user had local admin rights is if I manually added the domain user to the local PC admin group.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11930866
It will not work for an individual person, because they are not logged into the machine when these settings get applied. Thies precludes you from using a variable like "%username%", etc. The group "Domain Users" will work, any group will.

Now there are other ways to allow people to use software, without giving them local admin priviliges. You can use a GPO setting, to grant users read and write to portions of a registry. Many users think they need admin to run programs that use cd-writers etc, but there is a gpo for that (computer configuration -security -local security policy - format removeable media, (something like that). Let me know how you would like to proceed? ;)

j
 
0
 

Author Comment

by:halfondj
ID: 11932079
>> It will not work for an individual person...
Does that mean a user within a security group?  I tried adding the security group that contained the user and it still didn't work.

>> You can use a GPO setting, to grant users read and write to portions of a registry.
How would that be done?

Thanks again.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 9

Expert Comment

by:jdeclue
ID: 11932429
when you tried to add the security group, did you put it in this format "domainname\usergroup"?

I will try to post some instructions on the registry stuff in a little bit... caught in a bind this morning. ;(

J
0
 

Author Comment

by:halfondj
ID: 11933335
>> when you tried to add the security group, did you put it in this format "domainname\usergroup"?
I did.

>> I will try to post some instructions on the registry stuff in a little bit...
Much appreciated :).
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11933749
Here is the way I do it.

in the GPO, I right-click on the Restricted Groups in the Right hand pane. Select "Add Group...", this needs to be the local group on the computer. Type in "Administrators". Select OK

Administrators shows up on the right hand side.
Double click on ADministrators.
Click on Add next to members of this group
add these users:
administrator
domain\Domain Admins
domain\Domain Users

--- This should work...

Now as far as the registry goes....
Computer Configuration --> Windows Settings --> Security Settings ---> Registry

Right - Click on Registry and select Add Key
You will now get a list of entries from your own registry. You can select any location and it will add it to the right. Select a key (usually you have to work in Machine\Software and Machine\System\CurrentControlSet.

Add the key, it will place it on the right. Then double click on the key and you can set permissions.

J


0
 

Author Comment

by:halfondj
ID: 11948530
>> I have a question re:
    add these users:
    administrator
    domain\Domain Admins
    domain\Domain Users

What if I don't want all domain users in the restricted group?  Say, I only want 12 users who are in a group, let's say ABC-Local-Admin-Grp?  Would I add the domain\ABC-Local-Admin-Grp instead of domain\Domain users?  If so, that's what I did and it didn't work.

Please advise.  Thanks.

As for the registry settings, that wouldn't be ideal for my environment.  Thanks for the explanation anyway.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11951615
Yes that is what you would do... It didn't work? This is odd, I currently use this functionality in a production site... we have a group of desktop administrators, who do not have Domain Admin privileges... they belong to a group called "DTADMINS", in the administrators group I added to the restricted list, I have set it to Domain\DTADMINS, Domain\Domain Admins, Administrator. It removes all of the current entries and adds these ones in when the client workstation updates its security.

Make the settings, and then save the Group Policy. After that reboot one of the Workstations you have applied the policy to. If it does not change the group membership, then type this at the command prompt on the client;

"secedit /refresh_policy machine_policy /enforce"

Check the event viewer after a few minutes and look for a SECCLI entry, that the policy has been refreshed, then check the membership. This will force the machine to update.

I know that the policy works, I am wondering if the workstation is not applying the template.

J


0
 

Author Comment

by:halfondj
ID: 11957368
Thanks so much for the response.  I have done what you explained and the restricted groups policy is still not working.

Here is my environment:

ABC.COM - domain  - default domain policy (only policy used) - small company
   ABC-Department-OU
        ABC-Local-Admin-Grp [members consist of some accounting users, etc. and the test user]
        ABC-Accounting-OU
             ABC-Acct-Grp [members consist of accounting users]
                 acct_user
        ABC-Credit-OU
             ABC-Credit-Grp
                  credit_user
                   :
        ABC-Test-OU  - for testing purposes, I created a GPO with only the restricted groups policy set
             ABC-Test-Grp [only member is test_user]
                  test_user

In the restricted groups policy I added the Administrators group and added members to Administrators - ABC\Domain Admins, administrator and ABC\ABC-Local-Admin-Grp.

After a re-boot, I logged on as the test_user and the users in the ABC-Local-Admin-Grp were not added to the local PC.

Question 1:  Do I have to add the workstation to the ABC-Test-OU?
Question 2:  How does the policy apply to the computer?

I don't know why my configuration doesn't work.

Thanks.
0
 

Author Comment

by:halfondj
ID: 11957394
I forgot to add, I'm logging on using XP and even issued the gpupdate command and received no errors.

What was returned was:
Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11963396
The policy is a computer policy, it does not apply to a user. You must take the users computer object and put that in the OU with the GPO policy. That was a fantastic explanation of the AD structure... thank you ;)

J
0
 

Author Comment

by:halfondj
ID: 11965706
To jdeclue:  Thanks for answering my question in my other post - http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21106191.html.

Using restricted groups and configuring domain users as local users all makes sense now.  I was even able to explain it to my manager :).

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11966072
I hadn't even noticed these were both your question?! I have lost it! I was answering both of these for the past couple of days... and you never told me! ;)

J
0
 

Author Comment

by:halfondj
ID: 11969511
I was wrapped up with trying to get my problem rectified that I didn't realize it was you answering both of them until you solved my problem w/telling me to create a computer-only OU.

Both questions are related, but the other question I wanted to know specifically what restricted groups are.

Everything now all makes sense :).

Thanks again.  All replies are certainly appreciated.  I can't begin to tell you how much I've learned using this website.  Everyone is great here!!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what the Office 365 disclaimer function is, why you would use it and its limited ability to create Office 365 signatures.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now