Solved

Local Administrator Group Policy Restriction

Posted on 2008-06-12
6
1,300 Views
Last Modified: 2010-04-21
I have a forest with over 700 computers. The workstations have overtime had various local administrator groups and user added.

I used the restricted groups in Windows Computer Settings in the Group Policy editor and applied it to everybody in the forest.
I selected BUILTIN/ADMINISTRATORS and added ADMINISTRATOR and DOMAIN ADMINS to be the only local administrators.

That worked a treat. All the weird accounts were remove from the domain workstations and just Administrator and Domain Admins remain.

The problem is, I need to add 5 users to be allowed local administrator rights. But if I add them on the local machine, the group policy overides them.

How can I make exceptions to the Restrcited Groups policy?
0
Comment
Question by:darylclune
6 Comments
 
LVL 3

Assisted Solution

by:Karl12347
Karl12347 earned 150 total points
Comment Utility
Move the computer accounts to an OU on their own and then block inheritance of the group policy to that OU. This will stop the grou policy from being applied to only these computers and then you can manually add the users to the machine.

Hope this Helps
Karl
0
 
LVL 7

Expert Comment

by:ms-pro
Comment Utility
try to make sperate group for your 5  users and add them to the gpo restriction policy.
0
 
LVL 8

Accepted Solution

by:
Sinder255248 earned 350 total points
Comment Utility
You could filter these machines on policy one.  Then create a new policy and instead of selecting the Local group as you did in the First policy, select the local user (or group with 5 users in) and then choose the "This group is a member of" button.  Put in the "This group is a member of" builtin\Administrators, and apply this policy.  Doing it this way round will not clear out the Administrators group as Policy one did, but will simply add the group, or individual users that you select.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:ms-pro
Comment Utility
@Karl12347 it's a long process.
He can create a new group with the 5 users, then he can add the group into the restrict policy, just like what he did with "domain admins".
with group restriction policy you can add multiple gorups to different local groups or domain gruops

http://support.microsoft.com/kb/810076.
0
 
LVL 8

Assisted Solution

by:Sinder255248
Sinder255248 earned 350 total points
Comment Utility
Sorry just noticed on my commend I've said "select local user (or group with 5 users in it)".  That should have read "select Domain User"

Ta

Bri
0
 

Author Closing Comment

by:darylclune
Comment Utility
Awesome. Thanks
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now