Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

active directory

Posted on 2007-11-28
18
Medium Priority
?
180 Views
Last Modified: 2010-04-18
I need some help, i need to know how i can create a group called desktop admins in active directory that gives anyone that i put in this group to have local admin rights to the computer in which they login into. how can i do this i am using windows 2000 server. with AD.  we need this becuase we dont want to have to give them admin rights  all the time with the way the supervisor does it now. it takes too long
0
Comment
Question by:scripttron75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368005
Use Restricted Groups through Group Policy: http://support.microsoft.com/kb/228496
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20368047
Look into restricted groups managed by GPO

This should get you started:

http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
0
 

Author Comment

by:scripttron75
ID: 20368056
do you have anything that tells me how to set it up?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368075
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20368083
See this for an explanation:-
basically create the security group, add the user accounts, use restritced groups to add the security group to Local administrators

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:scripttron75
ID: 20370449
i can not get this too work what am doing wrong, this is what i did..

i created a group in AD called local admin test, i created a user with my first name and no exchange mailbox.  i went to the default domain policy under security settings and in restriceted added the group and then added me as a memberto that group, i logged into a machine on the domain and it did not give me local admin rights?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370505
did you run gpupdate /force to apply the policy?
0
 

Author Comment

by:scripttron75
ID: 20370541
yes i did
0
 

Author Comment

by:scripttron75
ID: 20370546
i ran it on the client machine
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370551
and on the server ?
0
 

Author Comment

by:scripttron75
ID: 20370558
i did it on our windows 2000 server it says commadn not recognized.
0
 

Author Comment

by:scripttron75
ID: 20370635
anyone know why the group policy will not force
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370651
ah - 2000 sever - the command is different - off the top of my head its something like

secedit refreshpolicy /machinepolicy
secedit refreshpolicy /userpolicy
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370666
I was almost right - from http://support.microsoft.com/kb/227302

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.

• SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.
0
 

Author Comment

by:scripttron75
ID: 20370673
when i launched those commands the help and support comes up what now
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370690
If help came up you typed it wrong try agin:-

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
0
 

Author Comment

by:scripttron75
ID: 20370694
yes those commands worked but i log in and to test i go to manage and try to add a user to the local admin group under computer management is access denied.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 1500 total points
ID: 20370746
very odd - lets just reprise the process

If you want this to apply to the domain edit the default domain policy - or create a new polict and link it to the domain.

Gg to Restricted Groups node under the computer settings.

Right-click on the Restricted Groups node and select "Add Group".  Enter the name of the group you want to add ie Administrators.

Double-click the Administrators group and look for the section that says "Members of this group" and add Admintest?

Update the policies
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question