Solved

active directory

Posted on 2007-11-28
18
174 Views
Last Modified: 2010-04-18
I need some help, i need to know how i can create a group called desktop admins in active directory that gives anyone that i put in this group to have local admin rights to the computer in which they login into. how can i do this i am using windows 2000 server. with AD.  we need this becuase we dont want to have to give them admin rights  all the time with the way the supervisor does it now. it takes too long
0
Comment
Question by:scripttron75
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368005
Use Restricted Groups through Group Policy: http://support.microsoft.com/kb/228496
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20368047
Look into restricted groups managed by GPO

This should get you started:

http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
0
 

Author Comment

by:scripttron75
ID: 20368056
do you have anything that tells me how to set it up?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368075
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20368083
See this for an explanation:-
basically create the security group, add the user accounts, use restritced groups to add the security group to Local administrators

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:scripttron75
ID: 20370449
i can not get this too work what am doing wrong, this is what i did..

i created a group in AD called local admin test, i created a user with my first name and no exchange mailbox.  i went to the default domain policy under security settings and in restriceted added the group and then added me as a memberto that group, i logged into a machine on the domain and it did not give me local admin rights?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370505
did you run gpupdate /force to apply the policy?
0
 

Author Comment

by:scripttron75
ID: 20370541
yes i did
0
 

Author Comment

by:scripttron75
ID: 20370546
i ran it on the client machine
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370551
and on the server ?
0
 

Author Comment

by:scripttron75
ID: 20370558
i did it on our windows 2000 server it says commadn not recognized.
0
 

Author Comment

by:scripttron75
ID: 20370635
anyone know why the group policy will not force
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370651
ah - 2000 sever - the command is different - off the top of my head its something like

secedit refreshpolicy /machinepolicy
secedit refreshpolicy /userpolicy
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370666
I was almost right - from http://support.microsoft.com/kb/227302

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.

• SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.
0
 

Author Comment

by:scripttron75
ID: 20370673
when i launched those commands the help and support comes up what now
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370690
If help came up you typed it wrong try agin:-

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
0
 

Author Comment

by:scripttron75
ID: 20370694
yes those commands worked but i log in and to test i go to manage and try to add a user to the local admin group under computer management is access denied.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 20370746
very odd - lets just reprise the process

If you want this to apply to the domain edit the default domain policy - or create a new polict and link it to the domain.

Gg to Restricted Groups node under the computer settings.

Right-click on the Restricted Groups node and select "Add Group".  Enter the name of the group you want to add ie Administrators.

Double-click the Administrators group and look for the section that says "Members of this group" and add Admintest?

Update the policies
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now