darylclune
asked on
Local Administrator Group Policy Restriction
I have a forest with over 700 computers. The workstations have overtime had various local administrator groups and user added.
I used the restricted groups in Windows Computer Settings in the Group Policy editor and applied it to everybody in the forest.
I selected BUILTIN/ADMINISTRATORS and added ADMINISTRATOR and DOMAIN ADMINS to be the only local administrators.
That worked a treat. All the weird accounts were remove from the domain workstations and just Administrator and Domain Admins remain.
The problem is, I need to add 5 users to be allowed local administrator rights. But if I add them on the local machine, the group policy overides them.
How can I make exceptions to the Restrcited Groups policy?
I used the restricted groups in Windows Computer Settings in the Group Policy editor and applied it to everybody in the forest.
I selected BUILTIN/ADMINISTRATORS and added ADMINISTRATOR and DOMAIN ADMINS to be the only local administrators.
That worked a treat. All the weird accounts were remove from the domain workstations and just Administrator and Domain Admins remain.
The problem is, I need to add 5 users to be allowed local administrator rights. But if I add them on the local machine, the group policy overides them.
How can I make exceptions to the Restrcited Groups policy?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try to make sperate group for your 5 users and add them to the gpo restriction policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Karl12347 it's a long process.
He can create a new group with the 5 users, then he can add the group into the restrict policy, just like what he did with "domain admins".
with group restriction policy you can add multiple gorups to different local groups or domain gruops
http://support.microsoft.com/kb/810076.
He can create a new group with the 5 users, then he can add the group into the restrict policy, just like what he did with "domain admins".
with group restriction policy you can add multiple gorups to different local groups or domain gruops
http://support.microsoft.com/kb/810076.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome. Thanks