Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

restricted groups

Posted on 2007-04-10
3
Medium Priority
?
1,306 Views
Last Modified: 2009-02-11
Hello

I want to use "restricted groups" in GPO to give members of the helpdesk local administrator rights to all desktop PC's and portables. But when i use this setting it overrides the old permissions in the local administrator group of the pc's and portables. Because several managers have local admin rights on their laptop. Does anyone know a way to ADD a group in the local administrator group ?

Thanks
Robin
0
Comment
Question by:Geert Bettens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1000 total points
ID: 18882431
You can deploy Restricted Groups in either an additive or a destructive fashion:

* Destructive (what you're currently using): Define "Administrators" as a Restricted Group, and on the Member tab list the users who should be members of that group.  All other group members will be removed when this policy is defined.

* Additive (what it sounds like you want to be doing): Define "HelpDesk" (or whatever you've called the group as a Restricted Group, and on the Member Of tab, define the HelpDesk group as a member of "Administrators." The HelpDesk group will be added to the Administrators group of any machine to which this policy applies, without removing any other group members from the Administrators group.

Caveat - be sure that you're defining this GPO so that it only applies to your workstations, otherwise you will be adding HelpDesk to the local Admins group on servers/DCs which you probably don't want to be doing.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 26

Expert Comment

by:Pber
ID: 18882439
Yeah, restricted groups are great, but they have that drawback.  Anyhow, do this to get around it: http://windows.stanford.edu/Public/Infrastructure/localgroup.html

Let me know if you need a hand with the scripts.
0
 

Author Comment

by:Geert Bettens
ID: 18896897
Hello Laura

Thanks for the help, you are great ! :-)

Robin
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question