GPO to allow local Admin of member servers

We would like to be able to add a GPO that would allow the site administrators group to the local administrators group of the member servers.

We delegated our OU administrator to the IT personnel (who were previously Domain Admins).  Now we would like to add them to the local administrators group of all member servers without having to touch each server.

Any help would be appreciated.
Hudson-AdvisorsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hudson-AdvisorsAuthor Commented:
One other item that I forgot to mention was that we need to add these site admin accounts to the local administrator groups of the client machines as well.
0
Netman66Commented:
If these servers are in the same OU, then this is what to do:

1)  Create a GPO linked to the OU where these servers live.
2)  Configure - Computer Configuration>Windows Settings>Security Settings>Restricted Groups
3)  Right click Restricted Groups>Select Add Group
4)  Type in Administrators
5)  In the Members of this group pane select Add.
6)  Add your Global Group that contains these people.
7)  Also **IMPORTANT*** - add any other group that is by default added in the Administrators local group (Domain Admins is one).  If you don't then the existing membership of this group will get removed and stay removed.
8)  Close out.

This should be all you need.  The policy should refresh shortly - if not, run gpupdate /force on each server.



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hudson-AdvisorsAuthor Commented:
I will give that a try, but it sounds like it should work fine.  

Thanks for the not about the defaultly added groups.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Netman66Commented:
No problem.  You may want to eyeball this group locally to see what's in there before you create the policy.  There may be other accounts depending on what software is installed.

0
Hudson-AdvisorsAuthor Commented:
I was just logging into one of the servers to see if anything was abnormal.
0
Netman66Commented:
:o)
0
Hudson-AdvisorsAuthor Commented:
Should I worry about local system account or any of the local accounts like that?
0
Netman66Commented:
Only if they are in the Administrators group.  The policy I describe only affects membership of this group and only in the OU the policy is linked to.

0
Hudson-AdvisorsAuthor Commented:
Cool, I will get this in as soon as I can.
0
Hudson-AdvisorsAuthor Commented:
This worked great.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.