[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Local Administrator Group Policy Restriction

Posted on 2008-06-12
6
Medium Priority
?
1,318 Views
Last Modified: 2010-04-21
I have a forest with over 700 computers. The workstations have overtime had various local administrator groups and user added.

I used the restricted groups in Windows Computer Settings in the Group Policy editor and applied it to everybody in the forest.
I selected BUILTIN/ADMINISTRATORS and added ADMINISTRATOR and DOMAIN ADMINS to be the only local administrators.

That worked a treat. All the weird accounts were remove from the domain workstations and just Administrator and Domain Admins remain.

The problem is, I need to add 5 users to be allowed local administrator rights. But if I add them on the local machine, the group policy overides them.

How can I make exceptions to the Restrcited Groups policy?
0
Comment
Question by:darylclune
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Assisted Solution

by:Karl12347
Karl12347 earned 600 total points
ID: 21776651
Move the computer accounts to an OU on their own and then block inheritance of the group policy to that OU. This will stop the grou policy from being applied to only these computers and then you can manually add the users to the machine.

Hope this Helps
Karl
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21776652
try to make sperate group for your 5  users and add them to the gpo restriction policy.
0
 
LVL 8

Accepted Solution

by:
Sinder255248 earned 1400 total points
ID: 21776657
You could filter these machines on policy one.  Then create a new policy and instead of selecting the Local group as you did in the First policy, select the local user (or group with 5 users in) and then choose the "This group is a member of" button.  Put in the "This group is a member of" builtin\Administrators, and apply this policy.  Doing it this way round will not clear out the Administrators group as Policy one did, but will simply add the group, or individual users that you select.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 7

Expert Comment

by:ms-pro
ID: 21776747
@Karl12347 it's a long process.
He can create a new group with the 5 users, then he can add the group into the restrict policy, just like what he did with "domain admins".
with group restriction policy you can add multiple gorups to different local groups or domain gruops

http://support.microsoft.com/kb/810076.
0
 
LVL 8

Assisted Solution

by:Sinder255248
Sinder255248 earned 1400 total points
ID: 21778405
Sorry just noticed on my commend I've said "select local user (or group with 5 users in it)".  That should have read "select Domain User"

Ta

Bri
0
 

Author Closing Comment

by:darylclune
ID: 31466830
Awesome. Thanks
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question