Add non domain admins as local admins to workstations via GP


I have been struggling with this one. How can you, by Group Policy, add a certain global group as administrators to local machines. I have a desktop guy who's not ready to be a domain administrator yet I would like him to add/remove workstations to the domain and create user accounts and such. Anybody have a efficient method of achieving this? I read somewhere on EE that this was possible by using 'Restricted Groups' under computer configuration but when I looked there it wasn't very intuitive!
LVL 1
SANG501Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What90Commented:
Hi SANG501,

Restricted Groups works very nicely for what your trying to do. See if these link help out settin it up:

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_restricted_group.htm
http://support.microsoft.com/kb/q279301

Then, I'd delegate some permissions in AD for an OU or two for him to add/delete workstaions, create accounts and change their details.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WeHeCommented:
to give someone rights for adding and creating users/computers in ad, you can use the "delegation of control" wizard, built into the AD Users & Computers.
the problem with restricted groups is, that all other members of this group will be removed.
we solved such a task with a startup script and adding our support group with "net localgroup" to the local administrators group.
0
SANG501Author Commented:

Ok so if I added domain admins and user "Kenny" to the Restirced group policy and applied to to my workstation OU, will this over write any members in the 'local administrators' group excluding the local administrator itself?

Our OU structure
-domain.local
 -Corporate Headquarters
  -Servers
  -Users
  -Workstations (Should the restircted group policy be applied here or the domain policy?)

0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

WeHeCommented:
yes, it will override your local group!
i would assign it in an extra policy to your workstation ou only.
0
SANG501Author Commented:
Works great! Question, what wil be the best method to apply this to all workstations except "administrator" workstations? This will be my last question before I award points. Thanks!!!!
0
WeHeCommented:
- put all admin workstations into a own ou.
or
- add "security filtering" to your gpo.
or
- build a WMI FIlter.

i would prefer the ou, but security filtering is a good solution too.
0
SANG501Author Commented:
Thank you guys so much!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.