Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 731
  • Last Modified:

How to assign specific users in AD local administrator right using a GPO?

I currently am running an OU with about 200 users in it. I need to create a GPO that will grant specific users local administrator rights. I do not want the users to become Domain Administrators, just local admins. I am using Win Server 2003. I do not want to visit the computers either just push something out over the network.

Thanks
0
emsed
Asked:
emsed
  • 3
  • 2
  • 2
2 Solutions
 
KCTSCommented:
Put the users into a security group and then use Restricted Groups to add this group to the local admins

See the restricted groups section at http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_restricted_group.htm
0
 
KCTSCommented:
...or use a logon script  eg:-

NET localgroup Administrators /add MyDomain\MyGroup
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Be sure to use the "MemberOf" and not "Member" or else you'll find that only the group you defined and the local administrator will members of the local administrators group.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
mdnewellCommented:
You'd be better off scripting this with the net command (or google it, there's lots of scripts you can download and modify to fit your needs).

If I'm not mistaken, the ristricted groups option will replace the local admins already in that group with the accounts you define in the policy. That may not be what you're looking to do.

A script will allow you to be a bit more surgical in your approach.

My .02 anyway.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
"If I'm not mistaken, the ristricted groups option will replace the local admins already in that group with the accounts you define in the policy."

I'm sorry but you are mistaken. I'll do a quick rundown (but all this information can be found in the link KCTS provided)

"Member" - defines what groups are members of a particular group. It will replace any groups and users that are currently members.
"MemberOf" - defines what groups a particular group is a member of. It will not replace existing members, it will just add the configured group to another group.
0
 
mdnewellCommented:
DOH! Don't be sorry, I was plain wrong.

I didn't read the post in it's entirety and made some incorrect assumptions. I was stuck behind the thought that they were adding individual users, not a group.

My appologies.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
No worries. =)
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now