Solved

Restricted Groups add domain user as Local Administrator

Posted on 2004-10-18
16
572 Views
Last Modified: 2008-02-01
Hi all,

I've created a domain user account which I would like to delegate some administrative rights for him to manage a particular OU. On the GPO for that particular OU, i created a Restricted Group name (Administrators) and add that domain user account as one of the members beside the Domain Admins. For the field "This group is member of" i put there "Administrator" as well.

Yes, the GPO successfully deployed to each and every PC's. The problem is, I only want this domain user to be added as a Local Administrator but then this restricted group created indirectly added this domain user as a domain administrator. How should I go about it ? What is the best approach for this?

Btw, I'm running on Win2k Server and mostly clients are using Win2k and XP.

Regards,
Nicholas
0
Comment
Question by:nicholas80
  • 8
  • 5
  • 3
16 Comments
 
LVL 5

Expert Comment

by:georgecooldude
ID: 12345604
By default to make a local administrator they need to be a member of the "administrators" group. This is because if you go to control panel, "user accounts" you will see the administrator is a member of the administrators group.

The only other way to create local administrators but not domain wide ones is to re-create an administrator account on the local machine. Give it full admin rights locally. Then put it in a group called "mylocal admins" for example. Then on the domain add the users you want to be local admins in to the "mylocal admins" group.

Hope it works for you. Let me know how you get on.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12345915
Hi

You could run this from a script on the local pc - also could assign to start-up script,

net localgroup administrators /ADD "user name"

Example PAQ on Subject
http:Q_20333501.html
Net localgroup
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_localgroup.mspx

Deb :))
0
 

Author Comment

by:nicholas80
ID: 12357072
Hey guys, im outstanding today, will test it out tomorrow and let you know the result..
0
 

Author Comment

by:nicholas80
ID: 12366532
Hi georgecooldude,

Sorry, I was outstation yesterday. Thx for commenting.
The default local administrator is not allowed to remove from the administrator group. Understand that, the solution you gave should work but you won't be expecting me to go each and every PC's to re-create the local administrator account and the "mylocal admins" group right?
I've in total more than 200 PC for that particular OU.
Is there anyway that I can do all this from the domain level without visiting the user site?

Hi Debsyl99,

I've read thru the link you provided but I'm not concerning about granting and revoking the local administrator rights. For your information, the user i'm going to assign the task for him already have the local administrator access for each PC's. I want to create a domain user with a local administrator right so that this domain user can manage the pc through network, e.g connecting other computer using computer management.

Rgds,
Nicholas











0
 
LVL 5

Expert Comment

by:georgecooldude
ID: 12367623
nicholas80, I think you have to go around each machine and do this.

Reason because not many people give full admin rights to a local machine but not the domain. Its a bit of a security risk if everyone can play around with the client machines.
0
 

Author Comment

by:nicholas80
ID: 12367858
George,

I believe there is a solution for this which can be done at domain level. Manually perform the setting for each and every pc doesn't sounds productive to me. Furthermore, this particular OU is in different location(country).
0
 

Author Comment

by:nicholas80
ID: 12398483
Any solution guys ??
0
 
LVL 5

Expert Comment

by:georgecooldude
ID: 12398581
Not that I know of sorry. This has now gone above my level of knowledge.

I would also be interested to know
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 20

Expert Comment

by:Debsyl99
ID: 12398594
Hi

I'm a little confused I think, so can I check what you want to do and correct me if I have it wrong.

You want to give a specific domain user account local admin rights on all pc's (maybe within an OU?) without having to visit each pc? Is this correct?

0
 

Author Comment

by:nicholas80
ID: 12407251
Hi Debsyl99,

Yes, you are absolutely right. Remember, I only want this domain user account added to local admin rights on all PC's and not the domain admin nor domain builtin administrator.
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 250 total points
ID: 12408924
Hi Nicholas80,

That's what I thought - here's exactly how I do it -

First create a new security group in Active Directory - call it LocalAdmins say,
Than add your domain user to that group - don't forget to make sure that the group is also a member of domain users itself,

Then create a .bat file - call it AdminAdd.bat for example

In it paste the following:

net localgroup Administrators /ADD LocalAdmins - LocalAdmins in the name of the security group you created,

This simple script will add the security group LocalAdmins, to the local Administrators group on every PC this script is applied to - so any domain user that you add to this group as a member will be a local administrator on the pc's to which it has been applied. The beauty of this approach is that if you want to change admin rights on a local pc, all you need to do is alter the membership of this group in active directory. If the group is empty of members then no one will be a local admin, etc

Then we need to get this applied to the pc's to save you having to visit them all,

Presumably your pc's are in organisational units?

All you need to do is add this script to a gpo's start-up scripts under the computer configuration, windows settings, startup scripts and link it to the relevant OU's. On the GPO itself you need to make sure that domain computers have read and apply rights in properties, security. Make sure that the script is also present in the relevant start-up scripts folder. Then run secedit /refreshpolicy machine_policy from a command prompt on the server - remember if you have more than one dc, the settings need time to replicate amongst them.

Next time the pc's in the OU boot up, the script will run and add that security group to the local administrators group on those pc's,

If you need any more detail let me know,

Deb :))

0
 

Author Comment

by:nicholas80
ID: 12409051
Hey dude,

This sounds interesting to me, I'm going to leave my office now and will be outstation tomorrow. Will test this out when I'm back. Thank you very much..will let you know the result..

Nick
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12409124
Great - Let me know if you have any problems :))
0
 

Author Comment

by:nicholas80
ID: 12430645
Hey dude, I've tested it out...yeah it's work...thanks..
Btw, the Domain Admins will always be added to a local administrators?
Cannot removed it explicitly?
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12431365
Nope - can't get rid of that one,

Deb :))
0
 

Author Comment

by:nicholas80
ID: 12431676
One more qns, if I use both Restricted Group and Startup Scripts, will my start up scripts which add the localadmins group be removed?

Restricted group : Explicitly add local administrator (e.g Domain Admin Group)
Start Script : net localgroup Administrators /ADD LocalAdmins

The reason why I do so is to prevent the user who have local admin right from adding/raising any other user/domain user as a local administrator.

Will the restricted group take precedence and remove those user who are not in restricted group?
If this can be done, will my start script added localadmins users be removed as well?

Hope you understand my qns...thx
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now