Solved

Adding Global Groups to Local Groups via Group Policy

Posted on 2004-10-04
10
332 Views
Last Modified: 2010-04-19
I have several Help Desk Users that I have put into a "Help Desk" Global Group on my 2003 Server.  I want the Help Desk global group to be a member of the local administrators group on every Workstation in our Domain.  How do I implement this via Group Policy?

0
Comment
Question by:daveyd123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
10 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 12221332
Hi,

Do these users need to be local admins only on the workstations or can they be admins in the entire domain?? If they need to be admins within the entire domain, just add them to the domain admins group and they will automatically have permissions to the machines as local admins.

Other options might be to use GPO's. There's should be an option to add users to the local admin group or give users full control on specified folders of workstions within the scope of the GPO..
0
 
LVL 1

Author Comment

by:daveyd123
ID: 12221549
I do not want these users to be part of the Domain Admins group, which by default, is a member of the workstations local admins group...

I want the users in the "Help Desk" global group to be able to log on to any workstation and install software, upgrade the O/S, etc, without giving the power that a Domain Admin has.

I figured I could make the "Help Desk" global group part of the local admins group on all workstations in the Domain...I just need to know what GPO I have to edit to do so.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12221619
Hi,

I don't believe there is one. Are the heldesk users on the pc or not?? You could try using the Runas command (or holding SHIFT, right clicking a program and choose the run As option..)
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 1

Author Comment

by:daveyd123
ID: 12222697
I am aware of using Run As.  However, I would have to assume there is a way to add a domain global group to the local admins group on all workstation in the Enterprise via Group Policy.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12224122
Hi,

I searched all Objects within server 2003 GPO and not able to find it. Maybe something could help you out there. If it is possible, you should be seeking in the Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Right Assignments... Maybe there is an option you can use...
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12224124
Maybe by using the Allow Logon Through Terminal Server, or the Allow Logon Locally, can be a starter to get you where you would like to be.
0
 
LVL 1

Author Comment

by:daveyd123
ID: 12225834
Actually I found the solution.  In Group Policy I can use the Restricted Groups GPO and choose what members I want to be part of the local admins group on the workstations
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12230608
Agree
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 12267778
Question answered by asker or dialog valuable.
Closed, 75 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question