Solved

Restricted Groups add domain user as Local Administrator

Posted on 2004-10-18
16
579 Views
Last Modified: 2008-02-01
Hi all,

I've created a domain user account which I would like to delegate some administrative rights for him to manage a particular OU. On the GPO for that particular OU, i created a Restricted Group name (Administrators) and add that domain user account as one of the members beside the Domain Admins. For the field "This group is member of" i put there "Administrator" as well.

Yes, the GPO successfully deployed to each and every PC's. The problem is, I only want this domain user to be added as a Local Administrator but then this restricted group created indirectly added this domain user as a domain administrator. How should I go about it ? What is the best approach for this?

Btw, I'm running on Win2k Server and mostly clients are using Win2k and XP.

Regards,
Nicholas
0
Comment
Question by:nicholas80
  • 8
  • 5
  • 3
16 Comments
 
LVL 5

Expert Comment

by:georgecooldude
ID: 12345604
By default to make a local administrator they need to be a member of the "administrators" group. This is because if you go to control panel, "user accounts" you will see the administrator is a member of the administrators group.

The only other way to create local administrators but not domain wide ones is to re-create an administrator account on the local machine. Give it full admin rights locally. Then put it in a group called "mylocal admins" for example. Then on the domain add the users you want to be local admins in to the "mylocal admins" group.

Hope it works for you. Let me know how you get on.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12345915
Hi

You could run this from a script on the local pc - also could assign to start-up script,

net localgroup administrators /ADD "user name"

Example PAQ on Subject
http:Q_20333501.html
Net localgroup
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_localgroup.mspx

Deb :))
0
 

Author Comment

by:nicholas80
ID: 12357072
Hey guys, im outstanding today, will test it out tomorrow and let you know the result..
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:nicholas80
ID: 12366532
Hi georgecooldude,

Sorry, I was outstation yesterday. Thx for commenting.
The default local administrator is not allowed to remove from the administrator group. Understand that, the solution you gave should work but you won't be expecting me to go each and every PC's to re-create the local administrator account and the "mylocal admins" group right?
I've in total more than 200 PC for that particular OU.
Is there anyway that I can do all this from the domain level without visiting the user site?

Hi Debsyl99,

I've read thru the link you provided but I'm not concerning about granting and revoking the local administrator rights. For your information, the user i'm going to assign the task for him already have the local administrator access for each PC's. I want to create a domain user with a local administrator right so that this domain user can manage the pc through network, e.g connecting other computer using computer management.

Rgds,
Nicholas











0
 
LVL 5

Expert Comment

by:georgecooldude
ID: 12367623
nicholas80, I think you have to go around each machine and do this.

Reason because not many people give full admin rights to a local machine but not the domain. Its a bit of a security risk if everyone can play around with the client machines.
0
 

Author Comment

by:nicholas80
ID: 12367858
George,

I believe there is a solution for this which can be done at domain level. Manually perform the setting for each and every pc doesn't sounds productive to me. Furthermore, this particular OU is in different location(country).
0
 

Author Comment

by:nicholas80
ID: 12398483
Any solution guys ??
0
 
LVL 5

Expert Comment

by:georgecooldude
ID: 12398581
Not that I know of sorry. This has now gone above my level of knowledge.

I would also be interested to know
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12398594
Hi

I'm a little confused I think, so can I check what you want to do and correct me if I have it wrong.

You want to give a specific domain user account local admin rights on all pc's (maybe within an OU?) without having to visit each pc? Is this correct?

0
 

Author Comment

by:nicholas80
ID: 12407251
Hi Debsyl99,

Yes, you are absolutely right. Remember, I only want this domain user account added to local admin rights on all PC's and not the domain admin nor domain builtin administrator.
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 250 total points
ID: 12408924
Hi Nicholas80,

That's what I thought - here's exactly how I do it -

First create a new security group in Active Directory - call it LocalAdmins say,
Than add your domain user to that group - don't forget to make sure that the group is also a member of domain users itself,

Then create a .bat file - call it AdminAdd.bat for example

In it paste the following:

net localgroup Administrators /ADD LocalAdmins - LocalAdmins in the name of the security group you created,

This simple script will add the security group LocalAdmins, to the local Administrators group on every PC this script is applied to - so any domain user that you add to this group as a member will be a local administrator on the pc's to which it has been applied. The beauty of this approach is that if you want to change admin rights on a local pc, all you need to do is alter the membership of this group in active directory. If the group is empty of members then no one will be a local admin, etc

Then we need to get this applied to the pc's to save you having to visit them all,

Presumably your pc's are in organisational units?

All you need to do is add this script to a gpo's start-up scripts under the computer configuration, windows settings, startup scripts and link it to the relevant OU's. On the GPO itself you need to make sure that domain computers have read and apply rights in properties, security. Make sure that the script is also present in the relevant start-up scripts folder. Then run secedit /refreshpolicy machine_policy from a command prompt on the server - remember if you have more than one dc, the settings need time to replicate amongst them.

Next time the pc's in the OU boot up, the script will run and add that security group to the local administrators group on those pc's,

If you need any more detail let me know,

Deb :))

0
 

Author Comment

by:nicholas80
ID: 12409051
Hey dude,

This sounds interesting to me, I'm going to leave my office now and will be outstation tomorrow. Will test this out when I'm back. Thank you very much..will let you know the result..

Nick
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12409124
Great - Let me know if you have any problems :))
0
 

Author Comment

by:nicholas80
ID: 12430645
Hey dude, I've tested it out...yeah it's work...thanks..
Btw, the Domain Admins will always be added to a local administrators?
Cannot removed it explicitly?
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12431365
Nope - can't get rid of that one,

Deb :))
0
 

Author Comment

by:nicholas80
ID: 12431676
One more qns, if I use both Restricted Group and Startup Scripts, will my start up scripts which add the localadmins group be removed?

Restricted group : Explicitly add local administrator (e.g Domain Admin Group)
Start Script : net localgroup Administrators /ADD LocalAdmins

The reason why I do so is to prevent the user who have local admin right from adding/raising any other user/domain user as a local administrator.

Will the restricted group take precedence and remove those user who are not in restricted group?
If this can be done, will my start script added localadmins users be removed as well?

Hope you understand my qns...thx
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question