Solved

Restricted Groups under group policy

Posted on 2006-10-21
6
265 Views
Last Modified: 2010-05-18
I am wanting to make certain members of my domain, administrators on all the local machines on the network. Basically I want them to be able to add and remove programs. All the members I want to have these rights are members of an organizational unit I call "Team Leaders" and there are probably 30 of these members in that unit.
I think this is how I do it and would like some guidance on setting up, more efficently if you see one:
Enter Group policy and navigate to restricted groups under computers
Add a group named "Administrator" right click and add the ou "Team Leaders" to it?

Is the way I am setting this up proper to setup all my team leaders as local admins on all windows xp computers on my network?

Thanks,
Chad
0
Comment
Question by:ItsChad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17782367
There are two ways to do it. The way you mentioned which is the more common method, and you add the users to the "Members of this group" list. This will also remove all existing local administrators on the local PC's, except the default local admin account. If you create a new local aministrator on the local workstation it will be removed with the next refresh of group policy.

The other way to use the " this group is a member of" section. Using this adds your users/group to the local admin account, but does not remove the existing users.

Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.

Useful links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47


If you only want to add a few users to a few computers you can also create a batch file. From an earlier post of mine:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.

0
 

Author Comment

by:ItsChad
ID: 17782396
The pc's on this network were allowed to add themselves so they are not in any form of OU. Would they need to be so that this will work properly?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17782410
Yes you need to create an OU and move the computers to that OU. Then apply the group policy to that OU. Following is an outline of the complete process:
-First step is to create an OU (Organizational Unit) for the computers you want to give these users admin rights to, in Active Directory Users and Computers, under your Domain. This can be a sub-OU of an existing Computer OU. Move the computers to be affected to this OU, or you can use an existing OU that contains the computers on which you wish to apply the policy.
-Next create a new Group Policy Object by right clicking on the OU choose properties, then the Group policy Tab, create new GPO and give it a name
-Locate the policy item under; Computer Configuration | Windows Settings | Security Settings | Restricted groups
-Right click on Restricted Groups and choose add a group
-Browse to the administrators group (using browse, advanced, find), OK, OK
-Then click Add beside "members of this group"
-Now add the users you wish to make local administrators, again using the browse button. NOTE !!! this will eliminate all existing local admin accounts on any computer in the OU except the local admin account. Therefore, add the Domain Administrators group as well as any other users or groups, you wish to have admin rights. You will be denied yourself if you are not a member of one of these groups. Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.
-Click OK and you are done
-Group policy takes 5 minutes on the Domain Controller and up to 90 minutes on the workstations to be updated. If you wish to force this right away, on the appropriate machine at a command line enter      gpupdate  /force    for XP, and for Win2K  use     secedit  /refreshpolicy machine_policy   for the machine policy and     secedit  /refreshpolicy user_policy        for the user policy.
A good idea is to try this with only one test computer in your computer OU first.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:ItsChad
ID: 17782477
Thanks Rob,

I will test this on monday. I really appreciate your help with this. This is my first real attempt at administering on server 2003.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17782490
Very welcome. Good luck with it. Restricted groups is actually one of the tricky ones. Master that and you are home free.  :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17800866
Thanks ItsChad,
--Rob
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question