Link to home
Create AccountLog in
Avatar of emsed
emsedFlag for United States of America

asked on

How to assign specific users in AD local administrator right using a GPO?

I currently am running an OU with about 200 users in it. I need to create a GPO that will grant specific users local administrator rights. I do not want the users to become Domain Administrators, just local admins. I am using Win Server 2003. I do not want to visit the computers either just push something out over the network.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
...or use a logon script  eg:-

NET localgroup Administrators /add MyDomain\MyGroup
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
You'd be better off scripting this with the net command (or google it, there's lots of scripts you can download and modify to fit your needs).

If I'm not mistaken, the ristricted groups option will replace the local admins already in that group with the accounts you define in the policy. That may not be what you're looking to do.

A script will allow you to be a bit more surgical in your approach.

My .02 anyway.
Avatar of Jeremy Weisinger
Jeremy Weisinger

"If I'm not mistaken, the ristricted groups option will replace the local admins already in that group with the accounts you define in the policy."

I'm sorry but you are mistaken. I'll do a quick rundown (but all this information can be found in the link KCTS provided)

"Member" - defines what groups are members of a particular group. It will replace any groups and users that are currently members.
"MemberOf" - defines what groups a particular group is a member of. It will not replace existing members, it will just add the configured group to another group.
DOH! Don't be sorry, I was plain wrong.

I didn't read the post in it's entirety and made some incorrect assumptions. I was stuck behind the thought that they were adding individual users, not a group.

My appologies.
No worries. =)