Solved

active directory

Posted on 2007-11-28
18
171 Views
Last Modified: 2010-04-18
I need some help, i need to know how i can create a group called desktop admins in active directory that gives anyone that i put in this group to have local admin rights to the computer in which they login into. how can i do this i am using windows 2000 server. with AD.  we need this becuase we dont want to have to give them admin rights  all the time with the way the supervisor does it now. it takes too long
0
Comment
Question by:scripttron75
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368005
Use Restricted Groups through Group Policy: http://support.microsoft.com/kb/228496
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20368047
Look into restricted groups managed by GPO

This should get you started:

http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
0
 

Author Comment

by:scripttron75
ID: 20368056
do you have anything that tells me how to set it up?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368075
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20368083
See this for an explanation:-
basically create the security group, add the user accounts, use restritced groups to add the security group to Local administrators

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:scripttron75
ID: 20370449
i can not get this too work what am doing wrong, this is what i did..

i created a group in AD called local admin test, i created a user with my first name and no exchange mailbox.  i went to the default domain policy under security settings and in restriceted added the group and then added me as a memberto that group, i logged into a machine on the domain and it did not give me local admin rights?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370505
did you run gpupdate /force to apply the policy?
0
 

Author Comment

by:scripttron75
ID: 20370541
yes i did
0
 

Author Comment

by:scripttron75
ID: 20370546
i ran it on the client machine
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 70

Expert Comment

by:KCTS
ID: 20370551
and on the server ?
0
 

Author Comment

by:scripttron75
ID: 20370558
i did it on our windows 2000 server it says commadn not recognized.
0
 

Author Comment

by:scripttron75
ID: 20370635
anyone know why the group policy will not force
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370651
ah - 2000 sever - the command is different - off the top of my head its something like

secedit refreshpolicy /machinepolicy
secedit refreshpolicy /userpolicy
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370666
I was almost right - from http://support.microsoft.com/kb/227302

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.

• SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.
0
 

Author Comment

by:scripttron75
ID: 20370673
when i launched those commands the help and support comes up what now
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370690
If help came up you typed it wrong try agin:-

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
0
 

Author Comment

by:scripttron75
ID: 20370694
yes those commands worked but i log in and to test i go to manage and try to add a user to the local admin group under computer management is access denied.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 20370746
very odd - lets just reprise the process

If you want this to apply to the domain edit the default domain policy - or create a new polict and link it to the domain.

Gg to Restricted Groups node under the computer settings.

Right-click on the Restricted Groups node and select "Add Group".  Enter the name of the group you want to add ie Administrators.

Double-click the Administrators group and look for the section that says "Members of this group" and add Admintest?

Update the policies
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now