Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

Restricted Groups add domain user as Local Administrator

Hi all,

I've created a domain user account which I would like to delegate some administrative rights for him to manage a particular OU. On the GPO for that particular OU, i created a Restricted Group name (Administrators) and add that domain user account as one of the members beside the Domain Admins. For the field "This group is member of" i put there "Administrator" as well.

Yes, the GPO successfully deployed to each and every PC's. The problem is, I only want this domain user to be added as a Local Administrator but then this restricted group created indirectly added this domain user as a domain administrator. How should I go about it ? What is the best approach for this?

Btw, I'm running on Win2k Server and mostly clients are using Win2k and XP.

Regards,
Nicholas
0
nicholas80
Asked:
nicholas80
  • 8
  • 5
  • 3
1 Solution
 
georgecooldudeCommented:
By default to make a local administrator they need to be a member of the "administrators" group. This is because if you go to control panel, "user accounts" you will see the administrator is a member of the administrators group.

The only other way to create local administrators but not domain wide ones is to re-create an administrator account on the local machine. Give it full admin rights locally. Then put it in a group called "mylocal admins" for example. Then on the domain add the users you want to be local admins in to the "mylocal admins" group.

Hope it works for you. Let me know how you get on.
0
 
Debsyl99Commented:
Hi

You could run this from a script on the local pc - also could assign to start-up script,

net localgroup administrators /ADD "user name"

Example PAQ on Subject
http:Q_20333501.html
Net localgroup
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_localgroup.mspx

Deb :))
0
 
nicholas80Author Commented:
Hey guys, im outstanding today, will test it out tomorrow and let you know the result..
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
nicholas80Author Commented:
Hi georgecooldude,

Sorry, I was outstation yesterday. Thx for commenting.
The default local administrator is not allowed to remove from the administrator group. Understand that, the solution you gave should work but you won't be expecting me to go each and every PC's to re-create the local administrator account and the "mylocal admins" group right?
I've in total more than 200 PC for that particular OU.
Is there anyway that I can do all this from the domain level without visiting the user site?

Hi Debsyl99,

I've read thru the link you provided but I'm not concerning about granting and revoking the local administrator rights. For your information, the user i'm going to assign the task for him already have the local administrator access for each PC's. I want to create a domain user with a local administrator right so that this domain user can manage the pc through network, e.g connecting other computer using computer management.

Rgds,
Nicholas











0
 
georgecooldudeCommented:
nicholas80, I think you have to go around each machine and do this.

Reason because not many people give full admin rights to a local machine but not the domain. Its a bit of a security risk if everyone can play around with the client machines.
0
 
nicholas80Author Commented:
George,

I believe there is a solution for this which can be done at domain level. Manually perform the setting for each and every pc doesn't sounds productive to me. Furthermore, this particular OU is in different location(country).
0
 
nicholas80Author Commented:
Any solution guys ??
0
 
georgecooldudeCommented:
Not that I know of sorry. This has now gone above my level of knowledge.

I would also be interested to know
0
 
Debsyl99Commented:
Hi

I'm a little confused I think, so can I check what you want to do and correct me if I have it wrong.

You want to give a specific domain user account local admin rights on all pc's (maybe within an OU?) without having to visit each pc? Is this correct?

0
 
nicholas80Author Commented:
Hi Debsyl99,

Yes, you are absolutely right. Remember, I only want this domain user account added to local admin rights on all PC's and not the domain admin nor domain builtin administrator.
0
 
Debsyl99Commented:
Hi Nicholas80,

That's what I thought - here's exactly how I do it -

First create a new security group in Active Directory - call it LocalAdmins say,
Than add your domain user to that group - don't forget to make sure that the group is also a member of domain users itself,

Then create a .bat file - call it AdminAdd.bat for example

In it paste the following:

net localgroup Administrators /ADD LocalAdmins - LocalAdmins in the name of the security group you created,

This simple script will add the security group LocalAdmins, to the local Administrators group on every PC this script is applied to - so any domain user that you add to this group as a member will be a local administrator on the pc's to which it has been applied. The beauty of this approach is that if you want to change admin rights on a local pc, all you need to do is alter the membership of this group in active directory. If the group is empty of members then no one will be a local admin, etc

Then we need to get this applied to the pc's to save you having to visit them all,

Presumably your pc's are in organisational units?

All you need to do is add this script to a gpo's start-up scripts under the computer configuration, windows settings, startup scripts and link it to the relevant OU's. On the GPO itself you need to make sure that domain computers have read and apply rights in properties, security. Make sure that the script is also present in the relevant start-up scripts folder. Then run secedit /refreshpolicy machine_policy from a command prompt on the server - remember if you have more than one dc, the settings need time to replicate amongst them.

Next time the pc's in the OU boot up, the script will run and add that security group to the local administrators group on those pc's,

If you need any more detail let me know,

Deb :))

0
 
nicholas80Author Commented:
Hey dude,

This sounds interesting to me, I'm going to leave my office now and will be outstation tomorrow. Will test this out when I'm back. Thank you very much..will let you know the result..

Nick
0
 
Debsyl99Commented:
Great - Let me know if you have any problems :))
0
 
nicholas80Author Commented:
Hey dude, I've tested it out...yeah it's work...thanks..
Btw, the Domain Admins will always be added to a local administrators?
Cannot removed it explicitly?
0
 
Debsyl99Commented:
Nope - can't get rid of that one,

Deb :))
0
 
nicholas80Author Commented:
One more qns, if I use both Restricted Group and Startup Scripts, will my start up scripts which add the localadmins group be removed?

Restricted group : Explicitly add local administrator (e.g Domain Admin Group)
Start Script : net localgroup Administrators /ADD LocalAdmins

The reason why I do so is to prevent the user who have local admin right from adding/raising any other user/domain user as a local administrator.

Will the restricted group take precedence and remove those user who are not in restricted group?
If this can be done, will my start script added localadmins users be removed as well?

Hope you understand my qns...thx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 8
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now