[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Local Admin Group Policy for certain users on all computers of domain

Posted on 2008-02-05
16
Medium Priority
?
473 Views
Last Modified: 2012-05-05
How do we set up about 3 users through group policy or AD to have local admin rights on all computers that are on the domain except for domain controllers?  This is for a company that has 1 SBS 2003 server, 1 Terminal Server, and 1 File Server.  We do not want them having those rights on the servers, just the local computers that are joined to the domain.  All of the computers are Windows XP.  We don't want the other users to have local admin rights, only a select few.  We have tried several other posts yet nothing seems to get us where we need.  The other posts tell us to create a new OU, add a group, then add that group to "administrators".  The issue is that they then are administrators of the domain and the servers, not just the local pc's.  Thanks in advance for any assistance!!
0
Comment
Question by:cnit
  • 9
  • 6
16 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20828040
Hi!

There is one step missing in your procedure. You should create new GPO, link it to OU which contains computer accounts and then configure Restricted groups policy. I belive, that you've already did this part but with wrong GPO.

HTH

Toni
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20828045
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20828069
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 

Author Comment

by:cnit
ID: 20828314
Ryansoto.... I have created the below script as a vbs but i am getting errors on line 8 among others.  What do i need to change to make this work on our domain using the following info:

Domain name = domain.local
Server name = dcserver01

THANKS!!
option Explicit 
 
Dim objGroup
Dim strComputer 
 
On Error Resume Next 
 
Variables you will want to change
strComputer = . Computer is Local 
 
Create Objects
Set objGroup = GetObject(WinNT:// & strComputer & /Administrators,group) 
 
Modify group memberships
objGroup.add(WinNT://DOMAIN/GROUPNAME,group)
Set objGroup = Nothing

Open in new window

0
 

Author Comment

by:cnit
ID: 20828373
....one other thing.  Will this be the best solution seeing that we only want a few users to have Local Admin rights of all workstations?  All the rest of the users need to not have local admin rights, just a select few.  But not on Domain Controllers.  Nobody but administrator needs local admin rights on those.

Thanks!
0
 

Author Comment

by:cnit
ID: 20828403
Toniur.... Can you elaborate?  I'm not sure where we took the wrong step.  We incorrectly ended up making the user an administrator of the domain.
0
 
LVL 24

Accepted Solution

by:
ryansoto earned 2000 total points
ID: 20828435
In caps where it says domain and groupname (line 15) change that to your domain name and change the GROUPNAME to the active directory group you placed the users in.  (The users you want to have local admin access)

Here is another thread to get you going http://forums.techarena.in/showthread.php?t=454014
Just down there is another script (im nt sure if its the same one as I posted earlier but it will also work

In the snippet I pasted the only things you would change is 'mydomain' and 'mygroup'
I placed a XXXXXXX next to them to change.  Again 'mygroup' is the group you place your users in for the local admin (maybe something like local admin group)

Once you change the script and put in a gpo to run at startup this will place that group in the local admin group permanently so you dont need the script anymore once all machines have run the gpo.
Afterwards I would kill that gpo and then you can have fun just updating the 'local admin group' you create
Option Explicit
 
Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup
 
' Specify the NetBIOS name of the domain.
strDomain = "MyDomainXXXXXXXX"
 
' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
 
' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
 
' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/MyGroupXXXXXXX,group")
 
' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If
 
' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

Open in new window

0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20828442
Also make sure the gpo you create only runs on the computers OU NOT the domain controller OU
This assumes you have all the local client machines in an OU.
0
 

Author Comment

by:cnit
ID: 20828580
ryansoto.... The script works only if the user is "already" a local admin.  Example:  if paul logs into the computer and he is not a local admin, the script won't add the correct group to local admins.  If we log into that computer as the domain administrator, the script runs and the correct group is then added to the local administrators group.  

To keep us from going to each computer and logging in as administrator first, how can we push this script out to the computers from the server which already is a local admin of all computers?  

Thanks!!  We're so close now!
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20829194
How did you push the gpo out?

Logon and Logoff scripts run with the credentials of the user.

Startup and Shutdown scripts run with the credentials of the computer object.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20829217
Also the first script should work fine.  The reason your running into trouble on line 8
you have to replace all the  with 
Must be an ASCII thing

you have to replace all the  with  

Open in new window

0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20829233
In 2 posts above by the log on vs start up scripts -

Push the policy out using a startup script not a log on script in your GPO
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20829245
Also here is another way

you can create startup script with the following command and link it to (or create a) GPO

 Net localgroup Administrators "DomainName\Domain Admins" /add

Since the startup script (not login script!!) runs under the context of the LocalSystem account, it has permissions to alter the local Administrators group.

Let me know if you still have problems

Ryan
0
 

Author Comment

by:cnit
ID: 20852579
Ryansoto,  Thank you very much for your help.  We ended up using a program called exe to service to install the local admin script that you helped us with.  That program allowed us to view the computers on the network and push the service to all computers, it would then run on the computer and after that would disable itself.

We couldn't have done it without your help!  Thanks!

0
 

Author Closing Comment

by:cnit
ID: 31428326
Ryansoto,  Thank you very much for your help.  We ended up using a program called exe to service to install the local admin script that you helped us with.  That program allowed us to view the computers on the network and push the service to all computers, it would then run on the computer and after that would disable itself.

We couldn't have done it without your help!  Thanks!
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 20856029
No problem glad it worked out
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month7 days, 15 hours left to enroll

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question