Link to home
Start Free TrialLog in
Avatar of ItsChad
ItsChad

asked on

Restricted Groups under group policy

I am wanting to make certain members of my domain, administrators on all the local machines on the network. Basically I want them to be able to add and remove programs. All the members I want to have these rights are members of an organizational unit I call "Team Leaders" and there are probably 30 of these members in that unit.
I think this is how I do it and would like some guidance on setting up, more efficently if you see one:
Enter Group policy and navigate to restricted groups under computers
Add a group named "Administrator" right click and add the ou "Team Leaders" to it?

Is the way I am setting this up proper to setup all my team leaders as local admins on all windows xp computers on my network?

Thanks,
Chad
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ItsChad
ItsChad

ASKER

The pc's on this network were allowed to add themselves so they are not in any form of OU. Would they need to be so that this will work properly?
Yes you need to create an OU and move the computers to that OU. Then apply the group policy to that OU. Following is an outline of the complete process:
-First step is to create an OU (Organizational Unit) for the computers you want to give these users admin rights to, in Active Directory Users and Computers, under your Domain. This can be a sub-OU of an existing Computer OU. Move the computers to be affected to this OU, or you can use an existing OU that contains the computers on which you wish to apply the policy.
-Next create a new Group Policy Object by right clicking on the OU choose properties, then the Group policy Tab, create new GPO and give it a name
-Locate the policy item under; Computer Configuration | Windows Settings | Security Settings | Restricted groups
-Right click on Restricted Groups and choose add a group
-Browse to the administrators group (using browse, advanced, find), OK, OK
-Then click Add beside "members of this group"
-Now add the users you wish to make local administrators, again using the browse button. NOTE !!! this will eliminate all existing local admin accounts on any computer in the OU except the local admin account. Therefore, add the Domain Administrators group as well as any other users or groups, you wish to have admin rights. You will be denied yourself if you are not a member of one of these groups. Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.
-Click OK and you are done
-Group policy takes 5 minutes on the Domain Controller and up to 90 minutes on the workstations to be updated. If you wish to force this right away, on the appropriate machine at a command line enter      gpupdate  /force    for XP, and for Win2K  use     secedit  /refreshpolicy machine_policy   for the machine policy and     secedit  /refreshpolicy user_policy        for the user policy.
A good idea is to try this with only one test computer in your computer OU first.
Avatar of ItsChad

ASKER

Thanks Rob,

I will test this on monday. I really appreciate your help with this. This is my first real attempt at administering on server 2003.

Very welcome. Good luck with it. Restricted groups is actually one of the tricky ones. Master that and you are home free.  :-)
Thanks ItsChad,
--Rob