Active Directory - Restricted Groups for individual admin users
Posted on 2007-11-26
I am very familiar with how to create GPOs using Restricted groups in order to add groups of users to a local group on a workstation or server... including the difference between the "Members" and "Member of" settings in Restricted Groups policies...
What I am looking for is a suggestion for how to best handle this scenario:
We have 14000 workstations in the enterprise. We use restricted group policies to add particular global groups to the local administrators group on all workstations. Depending on where the workstations are located, and the rights required, some of these policies apply to all machines, and some of them might apply to smaller subsets (several hundred). For example, we might have a global group for "Level_3_PC_Admins" that applies to all workstations, but we might have another group like "Houston_PC_Admins" that should only apply to workstations in the Houston OU (because the desktop support people in Houston don't need admin rights on machines in other locations).
The problem I'm running into is that there are many occasions where I have users that, for various reasons, need to get local admin rights on their own workstation. I don't want to add them to one of the admin groups for their site because then these users would have administrator rights on other workstations in their area.
Since the "Member of" function in the Restricted Groups policy does not apply to users, and only applies to groups... using that functionality means having to create a group which contains only that user, then creating a GPO that makes that group a member of the local administrator group. Then the policy has to be set to only apply to a particular machine.
That is not so difficult, except to consider that if I have a couple hundred requests like this, then I end up with a couple hundred extra groups and policies, which only serves to cause extra bloating and policy processing.
Anyone have another suggestion that can be managed at an enterprise level for when individual users need to have administrator rights only to their own machines?