scripttron75
asked on
active directory
I need some help, i need to know how i can create a group called desktop admins in active directory that gives anyone that i put in this group to have local admin rights to the computer in which they login into. how can i do this i am using windows 2000 server. with AD. we need this becuase we dont want to have to give them admin rights all the time with the way the supervisor does it now. it takes too long
Use Restricted Groups through Group Policy: http://support.microsoft.com/kb/228496
Look into restricted groups managed by GPO
This should get you started:
http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
This should get you started:
http://technet2.microsoft.com/windowsserver/en/library/2715d832-fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true
ASKER
do you have anything that tells me how to set it up?
The following tutorial should suffice: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
See this for an explanation:-
basically create the security group, add the user accounts, use restritced groups to add the security group to Local administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
basically create the security group, add the user accounts, use restritced groups to add the security group to Local administrators
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
ASKER
i can not get this too work what am doing wrong, this is what i did..
i created a group in AD called local admin test, i created a user with my first name and no exchange mailbox. i went to the default domain policy under security settings and in restriceted added the group and then added me as a memberto that group, i logged into a machine on the domain and it did not give me local admin rights?
i created a group in AD called local admin test, i created a user with my first name and no exchange mailbox. i went to the default domain policy under security settings and in restriceted added the group and then added me as a memberto that group, i logged into a machine on the domain and it did not give me local admin rights?
did you run gpupdate /force to apply the policy?
ASKER
yes i did
ASKER
i ran it on the client machine
and on the server ?
ASKER
i did it on our windows 2000 server it says commadn not recognized.
ASKER
anyone know why the group policy will not force
ah - 2000 sever - the command is different - off the top of my head its something like
secedit refreshpolicy /machinepolicy
secedit refreshpolicy /userpolicy
secedit refreshpolicy /machinepolicy
secedit refreshpolicy /userpolicy
I was almost right - from http://support.microsoft.com/kb/227302
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.
• SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE: Immediately imposes group policy object settings located within the "machine" node of relevant group policy objects.
• SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE: Immediate imposes group policy object settings located within the "User" node of the relevant group policy objects.
ASKER
when i launched those commands the help and support comes up what now
If help came up you typed it wrong try agin:-
SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
ASKER
yes those commands worked but i log in and to test i go to manage and try to add a user to the local admin group under computer management is access denied.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.