• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 230
  • Last Modified:

GPO to allow local Admin of member servers

We would like to be able to add a GPO that would allow the site administrators group to the local administrators group of the member servers.

We delegated our OU administrator to the IT personnel (who were previously Domain Admins).  Now we would like to add them to the local administrators group of all member servers without having to touch each server.

Any help would be appreciated.
0
Hudson-Advisors
Asked:
Hudson-Advisors
  • 6
  • 4
1 Solution
 
Hudson-AdvisorsAuthor Commented:
One other item that I forgot to mention was that we need to add these site admin accounts to the local administrator groups of the client machines as well.
0
 
Netman66Commented:
If these servers are in the same OU, then this is what to do:

1)  Create a GPO linked to the OU where these servers live.
2)  Configure - Computer Configuration>Windows Settings>Security Settings>Restricted Groups
3)  Right click Restricted Groups>Select Add Group
4)  Type in Administrators
5)  In the Members of this group pane select Add.
6)  Add your Global Group that contains these people.
7)  Also **IMPORTANT*** - add any other group that is by default added in the Administrators local group (Domain Admins is one).  If you don't then the existing membership of this group will get removed and stay removed.
8)  Close out.

This should be all you need.  The policy should refresh shortly - if not, run gpupdate /force on each server.



0
 
Hudson-AdvisorsAuthor Commented:
I will give that a try, but it sounds like it should work fine.  

Thanks for the not about the defaultly added groups.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Netman66Commented:
No problem.  You may want to eyeball this group locally to see what's in there before you create the policy.  There may be other accounts depending on what software is installed.

0
 
Hudson-AdvisorsAuthor Commented:
I was just logging into one of the servers to see if anything was abnormal.
0
 
Netman66Commented:
:o)
0
 
Hudson-AdvisorsAuthor Commented:
Should I worry about local system account or any of the local accounts like that?
0
 
Netman66Commented:
Only if they are in the Administrators group.  The policy I describe only affects membership of this group and only in the OU the policy is linked to.

0
 
Hudson-AdvisorsAuthor Commented:
Cool, I will get this in as soon as I can.
0
 
Hudson-AdvisorsAuthor Commented:
This worked great.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now