brian_appliedcpu
asked on
Add Domain Group to Local Administrators Group thru policy without replacing those already established.
Our AD consists of about 20 groups where our different departments are not allowed to log onto other department/users computers. Example, bob is allowed to log onto his own computer and franks, but frank is not allowed into bobs. We have added a PCAdministrator Global Security Group and have added Jim to the group. We want this group to be added to all of the computers local administrators group but not the domain administrators group.
We understand that the script to do this will work but is full of security holes and the person logging in must be a local admin to have it actually run.
NET localgroup Administrators /add "Domain"\PCAdministrator
The Restricted Group method works great but will actually replace any local admins already in place. Since there are to many computers to go around to individually to add the PCAdministors group to even thru computer managment, we are figuring there must be a different /better method. Also the Restricted Group method added the PCAdministrator to the AD Builtin Administrators group...this is definitely not good.
Any help is greatly appreciated.
BKL
We understand that the script to do this will work but is full of security holes and the person logging in must be a local admin to have it actually run.
NET localgroup Administrators /add "Domain"\PCAdministrator
The Restricted Group method works great but will actually replace any local admins already in place. Since there are to many computers to go around to individually to add the PCAdministors group to even thru computer managment, we are figuring there must be a different /better method. Also the Restricted Group method added the PCAdministrator to the AD Builtin Administrators group...this is definitely not good.
Any help is greatly appreciated.
BKL
With respect to making sure it does NOT add your group to the AD Admin group, make sure you link the policy on an OU where the PCs live (not the Computer container) so that it does not apply to the servers.
If this isn't possible, then on the Security tab of the policy find the entry for Domain Controllers and check Apply Group Policy under DENY.
If this isn't possible, then on the Security tab of the policy find the entry for Domain Controllers and check Apply Group Policy under DENY.
ASKER
OK, but that does not resolve the issue where it will delete any administrators previously added.
bkl
bkl
The method I described does not remove any other members from the Administrators local group - whatever is in that group will remain.
There are two ways to use Restricted Groups - one way replaces the members of a group with those you choose and then enforces that list.
The other way is how I described above. It will add a group WITHOUT removing anything already there.
I see nothing in your post stating you want to remove certain entries - is there more to what you are trying to do?
There are two ways to use Restricted Groups - one way replaces the members of a group with those you choose and then enforces that list.
The other way is how I described above. It will add a group WITHOUT removing anything already there.
I see nothing in your post stating you want to remove certain entries - is there more to what you are trying to do?
ASKER
I just noticed other postings that said entries in the Local Users and Groups Administrators Group would be removed and I did not want to just experiment and mess up around 80 pcs.
thanks.
thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is exactly what I did to test and all is fine.
Thanks for your assistance.
BKL
Thanks for your assistance.
BKL
Super! Glad to help.
NM
NM
Right-click Restricted Groups
Select Add Group.
Browse to your PCAdministrator Group
On the next screen, Select Add under "This group is a member of"
Type in Administrators manually.
OK your way out.
This will only add the Domain group to the local Administrators group, it won't replace anything already there.