Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to use GPO to add domain admins as an administrator on all computers in the domain

Posted on 2006-11-21
8
Medium Priority
?
269 Views
Last Modified: 2010-04-18
In our domain, end users are administrators of their own machines.  Although it is forbidden, some users remove domain admins from the administrators groups.  Is there a GPO that I can impliment that will force the addition od domain admins to all computers in the domain, without removing the end users account from the administrator group on their local machine?
0
Comment
Question by:dmaxIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 17989855
Yes, through a "Restricted Groups" policy.
Do NOT use the "Administrators" group and add "Domain Admins" to the "This group has the following members" field, though; that would add the domain admins, but at the same time remove the locally defined admins.
Instead, add the "Domain Admins" group, and use the "This group is a member of the following groups" setting, add the "Administrators" group there.
Try this in a test OU with a test machine first.
0
 

Author Comment

by:dmaxIT
ID: 17989906
Where is that GPO located?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17989952
Someplace under Computer Configuration\Windows Configuration\Security Settings, can't look it up a the moment, but it's not too hard to find.
And maybe of interest:

Description of Group Policy Restricted Groups
http://support.microsoft.com/?kbid=810076

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/?kbid=810076
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17989976
You could also create a computer startup script (applied with group policy to your computer OU) with the following syntax:

net localgroup administrators "domainName\Domain Admins" /add

This will add the Domain Admins group and leave everything else in the administrators group intact.

Hope this helps
Crow
0
 

Author Comment

by:dmaxIT
ID: 17990002
I am sorry that I am still not understanding this completely.  Currently, I have nothing in my restricted groups.  Do I add domain admins to the restrcted groups.  Will I then see the  "This group is a member of the following groups" setting?  Thanks for all of your help.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17990055
Yes; right-click, choose "Add Group", enter "Domain Admins", add "Administrators" to the list "This group is a member of the following groups".
0
 

Author Comment

by:dmaxIT
ID: 17990099
That worked for my 2000 machines, but my XP machines do not appear to be picking up the GPO?  Any ideas?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 17990120
Do the XP machines have SP 2 installed? If not, check the second article I posted above.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question