how can i put Domain Group in the local administrators group in network machines using group policy?

Posted on 2007-04-03
Medium Priority
Last Modified: 2013-12-04
I have a windows 2003 network with 1000 PC's i need to give the technical support team a ful administrative rights to thes machines then they can do the administrative tasks like installing softwares and drivers without puting them in the domain admin group
can i put them in the local administrators group in that machines using group policy?
Question by:alkhaleej
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 18843450
First point - thank you THANK YOU for asking how to do this rather than simply putting your users in the DA group - I can't tell you the number of times I see that as a workaround and it makes me cry like a little girl.

Second - you want to configure Restricted Groups in GP, under Computer Settings-->Windows Settings-->Security Settings.

Add "HelpDesk" (or whatever you've called your group) as a Restricted Group, then on the "Member Of" tab, add "Administrators."

Full instructions found here: http://technet2.microsoft.com/WindowsServer/en/library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

Expert Comment

ID: 18848547
if you think thats bad, i did consulting on a network where the boss made everyone a domain admin ... so they could admin thir local desktop ... he was not aware that there is both a local and domain group.

Restricted Groups are the way to go.... its a poor name of the policy .. but its where you need to go

Author Comment

ID: 18848761
Thank you ,before also i had a workaround solution for this problem but now i have a solution from the Active Directory
Thank You again

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question