[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Applying Domain admins on all servers and W/S

Posted on 2006-05-02
24
Medium Priority
?
230 Views
Last Modified: 2010-04-18
I want to use restricted group but little bit confused.

What I want to achieve is..

In my domain I want to ensure that a domain group called "mydom\admins" is added in all servers and Computers to have a local administrator access. how to do it?

I see in GPMC the following

computer configuration \security\restricted groups then add a a group called mydom\admins.. Then what is next  ?


0
Comment
Question by:markroe
  • 11
  • 7
  • 5
  • +1
24 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16585457
Hi markroe,

just a couple of quick links as i am off to bed

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

http://support.microsoft.com/?id=810076

post if you need help or myself or no doubt someone else will help you out :)
0
 

Author Comment

by:markroe
ID: 16585745
I added "mydom\admins" to a gpo and then ran gpupdate /force however the global group does not appear in the local admins group.

any ideas ?

server is 2003, AD  domain is  2003
0
 
LVL 5

Expert Comment

by:davino_1
ID: 16586085
by default when a computer is joined to the domain, the domain admins group is added as locals admins.  Is your "domain admins" group named differently, therefore making it necessary to distribute by some other way?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 51

Expert Comment

by:Netman66
ID: 16586669
You do it like this:

Restricted Groups>Add
"Administrators"
Add
Browse to or type in the Domain\Admins group.
OK out.

Link this at the Domain level.

****NOTE*****

You MUST, MUST, MUST add the default groups that are already in the Administrators local group - such as Domain Admins, etc.  Failure to do this will REMOVE all groups from the local Administrators group EXCEPT those you specifically defined in Restricted Groups.

You have been WARNED!!!!

****END NOTE ****
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16591750
just a quick note, if you download the patch in the second link i posted, there is a speil on how MS resolved that member of issue and added a kind of "append" feature to restricted groups so that it doesnt remove the already existing groups, however if you dont want to be applying patches and want the simplest solution then follow netmans rule.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16591837
Jay - That's the first I've heard of this - I'm looking at it now.

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16591857
it can get quite complex but basically off the top of my head the fix, fixes the "member of" object or something along those lines so as to not wipe out current objects, it worked on the fact that if "member" was left empty all sorts of bad things happen... as you know...   something like that anywayz.....
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16591900
Okay, just read that.

Restricted Groups functionality changed with Windows 2000 SP4 and in the 2003 Server family and XP SP2.  The update is for XP SP1.

There are 2 ways to add domain groups to local groups.

1)  Add Group>Adminstrators>Members - add members here.

This way Enforces membership of the Local Administrators group - meaning, only the groups defined in Members are allowed and everything else is removed.

2)  Add Group>Domain\Global Group>Member Of - add Administrators.

This way simply adds the Domain Global Group to the local Administrators group without removing or enforcing the membership of this local Administrators group.

It's not really an "append" or new functionality - it's been there awhile, but I never played around with the "Member of" settings since I've always enforced my local Administrators group membership completely.

I would suggest to the poster to use option 2 since you do not know what other groups are in the local Administrators group on each server - and it may differ from server to server depending on what software is installed.

I'm glad you spoke up Jay - I wouldn't have looked closer at this since I only use it one way.  Thanks.

NM
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16591917
no problem, thankyou for clarifying for me also, i have read through that doco numerous times, but usually when half-assing around with something else, at least now i know what it means as well instead of "it just works" :) Thanks NM

James
0
 

Author Comment

by:markroe
ID: 16595000
I am a little confused

The steps i have taken:

Created new gpo in a servers OU

Selected Restricted groups

Within Add group entered "Administrator" in the box

In the section "this group is a member of " i have put the Domain admins group then selected Add then OK.


On a server based in the OU i removed the domain admins group and then ran the GPupdate /force command.

Why hasn't the domain admins group been put back in ?

have i done something wrong ?

0
 

Author Comment

by:markroe
ID: 16595086
Please ignore above note ...


Final question about this
===============

I have added domain admins & and a Global IT admins group into the local admins group and this appears to work fine. thanks

If a member of one of these groups trys to add a non member of either group to the local admins group is it possibe to forcefully remove this additional account from the local admins ?


0
 
LVL 51

Expert Comment

by:Netman66
ID: 16595178
It happens automatically in 90 minutes.  You appear to have used Step1, which enforces the local Admin Group with only those 2 members you mention above.  That's all that will stay in local Administrators.

0
 

Author Comment

by:markroe
ID: 16595451
THANKS

i have just found and issue that i must have created.

1 machine in the ou (now moved to a temp OU) I cannot logon as a domain admin or local admin


All other machines it is possible

Help - any ideas what to do ?


i did read your warning

will 90 minutes waiting resolve this ?

0
 

Author Comment

by:markroe
ID: 16595477
error message is

local policy of this system will not permit you to logon on interactively
0
 

Author Comment

by:markroe
ID: 16595564
resolved
0
 

Author Comment

by:markroe
ID: 16595605
Netman66

thank you again for your help

What would you suggest is the best way to set this up.

In doing this exercise i have realised that i need the domain admins goup on all servers and various different application admins (which contain different sets of members) on different servers.

How would you suggest i set this up

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16595895
best option is to use option 2 in my opinion as you wont lose any groups already existing

you can set up multiple restricted groups and apply them to different OU's with the desired users
0
 

Author Comment

by:markroe
ID: 16595941
by option 2 do you mean the top or bottom dialog box
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16595951
>>>>>>>>>>>>

2)  Add Group>Domain\Global Group>Member Of - add Administrators.

This way simply adds the Domain Global Group to the local Administrators group without removing or enforcing the membership of this local Administrators group.
0
 

Author Comment

by:markroe
ID: 16596012
the bottom box
0
 

Author Comment

by:markroe
ID: 16596046
i am getting very odd result using the "bottom box" - this group is a member of

I added domain admins to this and another global group plus administrator

Result after gpupdate /force

only administrator is in the local admin group and existing global groups arew gone

and ideas what i am doing wrong ?
0
 

Author Comment

by:markroe
ID: 16596235
I now see what i was doing wrong.

Thank you again for your help

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16596325
Wow...I missed a bit of dialogue here.

It looks like it all sorted out??

Thanks.
NM
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16601591
:) have fun
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question