Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Add Domain Group to Local Administrators Group thru policy without replacing those already established.

Posted on 2006-05-30
8
Medium Priority
?
332 Views
Last Modified: 2010-04-18
Our AD consists of about 20 groups where our different departments are not allowed to log onto other department/users computers.  Example, bob is allowed to log onto his own computer and franks, but frank is not allowed into bobs.  We have added a PCAdministrator Global Security Group and have added Jim to the group.  We want this group to be added to all of the computers local administrators group but not the domain administrators group.
We understand that the script to do this will work but is full of security holes and the person logging in must be a local admin to have it actually run.

NET localgroup Administrators /add "Domain"\PCAdministrator

The Restricted Group method works great but will actually replace any local admins already in place.  Since there are to many computers to go around to individually to add the PCAdministors group to even thru computer managment, we are figuring there must be a different /better method.  Also the Restricted Group method added the PCAdministrator to the AD Builtin Administrators group...this is definitely not good.

Any help is greatly appreciated.

BKL
0
Comment
Question by:brian_appliedcpu
  • 5
  • 3
8 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 16792231
Actually, you can use Restricted groups to add to a group instead of replacing.

Right-click Restricted Groups
Select Add Group.
Browse to your PCAdministrator Group
On the next screen, Select Add under "This group is a member of"
Type in Administrators manually.
OK your way out.

This will only add the Domain group to the local Administrators group, it won't replace anything already there.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16792258
With respect to making sure it does NOT add your group to the AD Admin group, make sure you link the policy on an OU where the PCs live (not the Computer container) so that it does not apply to the servers.

If this isn't possible, then on the Security tab of the policy find the entry for Domain Controllers and check Apply Group Policy under DENY.

0
 
LVL 2

Author Comment

by:brian_appliedcpu
ID: 16792729
OK, but that does not resolve the issue where it will delete any administrators previously added.

bkl
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 51

Expert Comment

by:Netman66
ID: 16793464
The method I described does not remove any other members from the Administrators local group - whatever is in that group will remain.

There are two ways to use Restricted Groups - one way replaces the members of a group with those you choose and then enforces that list.

The other way is how I described above.  It will add a group WITHOUT removing anything already there.

I see nothing in your post stating you want to remove certain entries - is there more to what you are trying to do?

0
 
LVL 2

Author Comment

by:brian_appliedcpu
ID: 16793579
I just noticed other postings that said entries in the Local Users and Groups Administrators Group would be removed and I did not want to just experiment and mess up around 80 pcs.

thanks.

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16793702
Please look at my profile.  I wouldn't suggest to anyone to do something I wasn't sure of in a production network.

The most common method of using Restricted Groups is the "first way" in my last post.  The other (less known or used method) is the one you want.

You can test it easily by creating a test OU, moving a PC into it and creating a simple GPO that is linked to this OU that uses Restricted Groups as I instructed above.

You should see that only your PCAdministrator group is added, nothing is removed.

0
 
LVL 2

Author Comment

by:brian_appliedcpu
ID: 16793749
That is exactly what I did to test and all is fine.
Thanks for your assistance.

BKL
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16793831
Super!  Glad to help.

NM
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question