?
Solved

How to use GPO to add domain admins as an administrator on all computers in the domain

Posted on 2006-11-21
8
Medium Priority
?
270 Views
Last Modified: 2010-04-18
In our domain, end users are administrators of their own machines.  Although it is forbidden, some users remove domain admins from the administrators groups.  Is there a GPO that I can impliment that will force the addition od domain admins to all computers in the domain, without removing the end users account from the administrator group on their local machine?
0
Comment
Question by:dmaxIT
  • 4
  • 3
8 Comments
 
LVL 86

Expert Comment

by:oBdA
ID: 17989855
Yes, through a "Restricted Groups" policy.
Do NOT use the "Administrators" group and add "Domain Admins" to the "This group has the following members" field, though; that would add the domain admins, but at the same time remove the locally defined admins.
Instead, add the "Domain Admins" group, and use the "This group is a member of the following groups" setting, add the "Administrators" group there.
Try this in a test OU with a test machine first.
0
 

Author Comment

by:dmaxIT
ID: 17989906
Where is that GPO located?
0
 
LVL 86

Expert Comment

by:oBdA
ID: 17989952
Someplace under Computer Configuration\Windows Configuration\Security Settings, can't look it up a the moment, but it's not too hard to find.
And maybe of interest:

Description of Group Policy Restricted Groups
http://support.microsoft.com/?kbid=810076

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/?kbid=810076
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17989976
You could also create a computer startup script (applied with group policy to your computer OU) with the following syntax:

net localgroup administrators "domainName\Domain Admins" /add

This will add the Domain Admins group and leave everything else in the administrators group intact.

Hope this helps
Crow
0
 

Author Comment

by:dmaxIT
ID: 17990002
I am sorry that I am still not understanding this completely.  Currently, I have nothing in my restricted groups.  Do I add domain admins to the restrcted groups.  Will I then see the  "This group is a member of the following groups" setting?  Thanks for all of your help.
0
 
LVL 86

Expert Comment

by:oBdA
ID: 17990055
Yes; right-click, choose "Add Group", enter "Domain Admins", add "Administrators" to the list "This group is a member of the following groups".
0
 

Author Comment

by:dmaxIT
ID: 17990099
That worked for my 2000 machines, but my XP machines do not appear to be picking up the GPO?  Any ideas?
0
 
LVL 86

Accepted Solution

by:
oBdA earned 1000 total points
ID: 17990120
Do the XP machines have SP 2 installed? If not, check the second article I posted above.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question