Solved

Restricted Groups under group policy

Posted on 2006-10-21
6
248 Views
Last Modified: 2010-05-18
I am wanting to make certain members of my domain, administrators on all the local machines on the network. Basically I want them to be able to add and remove programs. All the members I want to have these rights are members of an organizational unit I call "Team Leaders" and there are probably 30 of these members in that unit.
I think this is how I do it and would like some guidance on setting up, more efficently if you see one:
Enter Group policy and navigate to restricted groups under computers
Add a group named "Administrator" right click and add the ou "Team Leaders" to it?

Is the way I am setting this up proper to setup all my team leaders as local admins on all windows xp computers on my network?

Thanks,
Chad
0
Comment
Question by:ItsChad
  • 4
  • 2
6 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17782367
There are two ways to do it. The way you mentioned which is the more common method, and you add the users to the "Members of this group" list. This will also remove all existing local administrators on the local PC's, except the default local admin account. If you create a new local aministrator on the local workstation it will be removed with the next refresh of group policy.

The other way to use the " this group is a member of" section. Using this adds your users/group to the local admin account, but does not remove the existing users.

Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.

Useful links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47


If you only want to add a few users to a few computers you can also create a batch file. From an earlier post of mine:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.

0
 

Author Comment

by:ItsChad
ID: 17782396
The pc's on this network were allowed to add themselves so they are not in any form of OU. Would they need to be so that this will work properly?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17782410
Yes you need to create an OU and move the computers to that OU. Then apply the group policy to that OU. Following is an outline of the complete process:
-First step is to create an OU (Organizational Unit) for the computers you want to give these users admin rights to, in Active Directory Users and Computers, under your Domain. This can be a sub-OU of an existing Computer OU. Move the computers to be affected to this OU, or you can use an existing OU that contains the computers on which you wish to apply the policy.
-Next create a new Group Policy Object by right clicking on the OU choose properties, then the Group policy Tab, create new GPO and give it a name
-Locate the policy item under; Computer Configuration | Windows Settings | Security Settings | Restricted groups
-Right click on Restricted Groups and choose add a group
-Browse to the administrators group (using browse, advanced, find), OK, OK
-Then click Add beside "members of this group"
-Now add the users you wish to make local administrators, again using the browse button. NOTE !!! this will eliminate all existing local admin accounts on any computer in the OU except the local admin account. Therefore, add the Domain Administrators group as well as any other users or groups, you wish to have admin rights. You will be denied yourself if you are not a member of one of these groups. Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.
-Click OK and you are done
-Group policy takes 5 minutes on the Domain Controller and up to 90 minutes on the workstations to be updated. If you wish to force this right away, on the appropriate machine at a command line enter      gpupdate  /force    for XP, and for Win2K  use     secedit  /refreshpolicy machine_policy   for the machine policy and     secedit  /refreshpolicy user_policy        for the user policy.
A good idea is to try this with only one test computer in your computer OU first.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:ItsChad
ID: 17782477
Thanks Rob,

I will test this on monday. I really appreciate your help with this. This is my first real attempt at administering on server 2003.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17782490
Very welcome. Good luck with it. Restricted groups is actually one of the tricky ones. Master that and you are home free.  :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17800866
Thanks ItsChad,
--Rob
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Resolve DNS query failed errors for Exchange
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now