?
Solved

active directory

Posted on 2007-11-28
18
Medium Priority
?
178 Views
Last Modified: 2010-04-18
I need some help, i need to know how i can create a group called desktop admins in active directory that gives anyone that i put in this group to have local admin rights to the computer in which they login into. how can i do this i am using windows 2000 server. with AD.  we need this becuase we dont want to have to give them admin rights  all the time with the way the supervisor does it now. it takes too long
0
Comment
Question by:scripttron75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368005
Use Restricted Groups through Group Policy: http://support.microsoft.com/kb/228496
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20368047
Look into restricted groups managed by GPO

This should get you started:

http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
0
 

Author Comment

by:scripttron75
ID: 20368056
do you have anything that tells me how to set it up?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20368075
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20368083
See this for an explanation:-
basically create the security group, add the user accounts, use restritced groups to add the security group to Local administrators

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:scripttron75
ID: 20370449
i can not get this too work what am doing wrong, this is what i did..

i created a group in AD called local admin test, i created a user with my first name and no exchange mailbox.  i went to the default domain policy under security settings and in restriceted added the group and then added me as a memberto that group, i logged into a machine on the domain and it did not give me local admin rights?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370505
did you run gpupdate /force to apply the policy?
0
 

Author Comment

by:scripttron75
ID: 20370541
yes i did
0
 

Author Comment

by:scripttron75
ID: 20370546
i ran it on the client machine
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370551
and on the server ?
0
 

Author Comment

by:scripttron75
ID: 20370558
i did it on our windows 2000 server it says commadn not recognized.
0
 

Author Comment

by:scripttron75
ID: 20370635
anyone know why the group policy will not force
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370651
ah - 2000 sever - the command is different - off the top of my head its something like

secedit refreshpolicy /machinepolicy
secedit refreshpolicy /userpolicy
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370666
I was almost right - from http://support.microsoft.com/kb/227302

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.

• SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.
0
 

Author Comment

by:scripttron75
ID: 20370673
when i launched those commands the help and support comes up what now
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370690
If help came up you typed it wrong try agin:-

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
0
 

Author Comment

by:scripttron75
ID: 20370694
yes those commands worked but i log in and to test i go to manage and try to add a user to the local admin group under computer management is access denied.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 1500 total points
ID: 20370746
very odd - lets just reprise the process

If you want this to apply to the domain edit the default domain policy - or create a new polict and link it to the domain.

Gg to Restricted Groups node under the computer settings.

Right-click on the Restricted Groups node and select "Add Group".  Enter the name of the group you want to add ie Administrators.

Double-click the Administrators group and look for the section that says "Members of this group" and add Admintest?

Update the policies
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question