windows 2003 GPO

Hi ,
I have created an OU that includes former domain admins. I want to give them local admin rights to all 100 member servers but no access to the domain controllers. The are out of the domain Admins group.
Can members of the built in group 'Domain computers' and server operators join a workstation in the domain ?
How should i build my Gropu policy to reach the above result ?

Who is Participating?
rutten-dConnect With a Mentor Commented:
who has permission to add a computer to the domain depends on this GPO setting:
default domaincontrollers policy - computer settings - windows settings - security settings - local policy -
user rights assignment - Add Workstations to domain.

next , you can group your servers in an OU and apply a policy to the OU which uses Restricted Groups to add a Domain group to the local admins group on these servers.
Of course you have to create a group with your former DA's.
Info on Restricted Groups:

hope this helps!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.