ItsChad
asked on
Restricted Groups under group policy
I am wanting to make certain members of my domain, administrators on all the local machines on the network. Basically I want them to be able to add and remove programs. All the members I want to have these rights are members of an organizational unit I call "Team Leaders" and there are probably 30 of these members in that unit.
I think this is how I do it and would like some guidance on setting up, more efficently if you see one:
Enter Group policy and navigate to restricted groups under computers
Add a group named "Administrator" right click and add the ou "Team Leaders" to it?
Is the way I am setting this up proper to setup all my team leaders as local admins on all windows xp computers on my network?
Thanks,
Chad
I think this is how I do it and would like some guidance on setting up, more efficently if you see one:
Enter Group policy and navigate to restricted groups under computers
Add a group named "Administrator" right click and add the ou "Team Leaders" to it?
Is the way I am setting this up proper to setup all my team leaders as local admins on all windows xp computers on my network?
Thanks,
Chad
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes you need to create an OU and move the computers to that OU. Then apply the group policy to that OU. Following is an outline of the complete process:
-First step is to create an OU (Organizational Unit) for the computers you want to give these users admin rights to, in Active Directory Users and Computers, under your Domain. This can be a sub-OU of an existing Computer OU. Move the computers to be affected to this OU, or you can use an existing OU that contains the computers on which you wish to apply the policy.
-Next create a new Group Policy Object by right clicking on the OU choose properties, then the Group policy Tab, create new GPO and give it a name
-Locate the policy item under; Computer Configuration | Windows Settings | Security Settings | Restricted groups
-Right click on Restricted Groups and choose add a group
-Browse to the administrators group (using browse, advanced, find), OK, OK
-Then click Add beside "members of this group"
-Now add the users you wish to make local administrators, again using the browse button. NOTE !!! this will eliminate all existing local admin accounts on any computer in the OU except the local admin account. Therefore, add the Domain Administrators group as well as any other users or groups, you wish to have admin rights. You will be denied yourself if you are not a member of one of these groups. Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.
-Click OK and you are done
-Group policy takes 5 minutes on the Domain Controller and up to 90 minutes on the workstations to be updated. If you wish to force this right away, on the appropriate machine at a command line enter gpupdate /force for XP, and for Win2K use secedit /refreshpolicy machine_policy for the machine policy and secedit /refreshpolicy user_policy for the user policy.
A good idea is to try this with only one test computer in your computer OU first.
-First step is to create an OU (Organizational Unit) for the computers you want to give these users admin rights to, in Active Directory Users and Computers, under your Domain. This can be a sub-OU of an existing Computer OU. Move the computers to be affected to this OU, or you can use an existing OU that contains the computers on which you wish to apply the policy.
-Next create a new Group Policy Object by right clicking on the OU choose properties, then the Group policy Tab, create new GPO and give it a name
-Locate the policy item under; Computer Configuration | Windows Settings | Security Settings | Restricted groups
-Right click on Restricted Groups and choose add a group
-Browse to the administrators group (using browse, advanced, find), OK, OK
-Then click Add beside "members of this group"
-Now add the users you wish to make local administrators, again using the browse button. NOTE !!! this will eliminate all existing local admin accounts on any computer in the OU except the local admin account. Therefore, add the Domain Administrators group as well as any other users or groups, you wish to have admin rights. You will be denied yourself if you are not a member of one of these groups. Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.
-Click OK and you are done
-Group policy takes 5 minutes on the Domain Controller and up to 90 minutes on the workstations to be updated. If you wish to force this right away, on the appropriate machine at a command line enter gpupdate /force for XP, and for Win2K use secedit /refreshpolicy machine_policy for the machine policy and secedit /refreshpolicy user_policy for the user policy.
A good idea is to try this with only one test computer in your computer OU first.
ASKER
Thanks Rob,
I will test this on monday. I really appreciate your help with this. This is my first real attempt at administering on server 2003.
I will test this on monday. I really appreciate your help with this. This is my first real attempt at administering on server 2003.
Very welcome. Good luck with it. Restricted groups is actually one of the tricky ones. Master that and you are home free. :-)
Thanks ItsChad,
--Rob
--Rob
ASKER