Solved

Restricted Groups under group policy

Posted on 2006-10-21
6
263 Views
Last Modified: 2010-05-18
I am wanting to make certain members of my domain, administrators on all the local machines on the network. Basically I want them to be able to add and remove programs. All the members I want to have these rights are members of an organizational unit I call "Team Leaders" and there are probably 30 of these members in that unit.
I think this is how I do it and would like some guidance on setting up, more efficently if you see one:
Enter Group policy and navigate to restricted groups under computers
Add a group named "Administrator" right click and add the ou "Team Leaders" to it?

Is the way I am setting this up proper to setup all my team leaders as local admins on all windows xp computers on my network?

Thanks,
Chad
0
Comment
Question by:ItsChad
  • 4
  • 2
6 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17782367
There are two ways to do it. The way you mentioned which is the more common method, and you add the users to the "Members of this group" list. This will also remove all existing local administrators on the local PC's, except the default local admin account. If you create a new local aministrator on the local workstation it will be removed with the next refresh of group policy.

The other way to use the " this group is a member of" section. Using this adds your users/group to the local admin account, but does not remove the existing users.

Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.

Useful links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47


If you only want to add a few users to a few computers you can also create a batch file. From an earlier post of mine:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.

0
 

Author Comment

by:ItsChad
ID: 17782396
The pc's on this network were allowed to add themselves so they are not in any form of OU. Would they need to be so that this will work properly?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17782410
Yes you need to create an OU and move the computers to that OU. Then apply the group policy to that OU. Following is an outline of the complete process:
-First step is to create an OU (Organizational Unit) for the computers you want to give these users admin rights to, in Active Directory Users and Computers, under your Domain. This can be a sub-OU of an existing Computer OU. Move the computers to be affected to this OU, or you can use an existing OU that contains the computers on which you wish to apply the policy.
-Next create a new Group Policy Object by right clicking on the OU choose properties, then the Group policy Tab, create new GPO and give it a name
-Locate the policy item under; Computer Configuration | Windows Settings | Security Settings | Restricted groups
-Right click on Restricted Groups and choose add a group
-Browse to the administrators group (using browse, advanced, find), OK, OK
-Then click Add beside "members of this group"
-Now add the users you wish to make local administrators, again using the browse button. NOTE !!! this will eliminate all existing local admin accounts on any computer in the OU except the local admin account. Therefore, add the Domain Administrators group as well as any other users or groups, you wish to have admin rights. You will be denied yourself if you are not a member of one of these groups. Very important, make sure your Domain Controller is not a member of this OU or you could get locked out if you forget to add yourself. You likely don't want any of your servers to be members of the OU anyway as that would give these users admin rights to them as well.
-Click OK and you are done
-Group policy takes 5 minutes on the Domain Controller and up to 90 minutes on the workstations to be updated. If you wish to force this right away, on the appropriate machine at a command line enter      gpupdate  /force    for XP, and for Win2K  use     secedit  /refreshpolicy machine_policy   for the machine policy and     secedit  /refreshpolicy user_policy        for the user policy.
A good idea is to try this with only one test computer in your computer OU first.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:ItsChad
ID: 17782477
Thanks Rob,

I will test this on monday. I really appreciate your help with this. This is my first real attempt at administering on server 2003.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17782490
Very welcome. Good luck with it. Restricted groups is actually one of the tricky ones. Master that and you are home free.  :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17800866
Thanks ItsChad,
--Rob
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question