• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

Through GPO how can i add the Domain\Administrator & Domain Admin's accounts into each machines local group.

Hi,

Through GPO how can i add the Domain\Administrator & Domain Admin's accounts into each machines local group.
A policy that can push these 2 users accounts into each machines local group called "SophosAdministrator"

Regards
Sharath
0
bsharath
Asked:
bsharath
  • 14
  • 6
  • 3
  • +2
3 Solutions
 
tigermattCommented:

You would have to use Restricted Groups for that. http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Add a new Restricted Groups policy called "SophosAdministrator". Edit that policy, then set 'Members' and add the DOMAIN\Administrator and DOMAIN\Domain Admins as members.

-Matt
0
 
wantabe2Commented:
I added mine through a login script:

www.kixstart.com
It is free

I've listed below what I put in my script to do this. You'll have to edit the groups to match your LAN.

If IsServer()
      ? "You are on a server . . . returning"
      Return
EndIf

If Instr(@PRODUCTTYPE, "Windows Server 2003") <> 0
      ? "You are running a server OS . . . returning"
      Return
EndIf

If Instr(@PRODUCTTYPE, "Windows 98") <> 0
      ? "You are running Windows 98 . . . returning"
      Return
EndIf

? "Adding domain user to machine administrator group"

$strPDC="your server name"
$strUser="Domain Users"
$strGroup="Administrators"
$oDomain = GetObject("WinNT://" + @WKSTA)
$oGroup = $oDomain.GetObject("Group", $strGroup)
$oGroup.Add ("WinNT://" + $strPDC + "/" + $strUser)
$oDomain=Nothing
$oGroup=Nothing

Return
0
 
Mike KlineCommented:
Matt is right on as usual.
Just wanted to throw out another link about restricted groups,  great writeup from MVP Florian
http://www.frickelsoft.net/blog/?p=13
Thanks
Mike
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
bsharathAuthor Commented:
Thanks Matthew.

Few questions here

When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.

Should this GPO be only for computers?
Will there be any issues if the domain controllers are listed in the same OU
0
 
bsharathAuthor Commented:
Thanks Matthew.

Few questions here

When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.

Should this GPO be only for computers?
Will there be any issues if the domain controllers are listed in the same OU
0
 
tigermattCommented:
> When created a Restricted group will that mean that all the members already in the group will be removed and new users will be added as mentioned.

It depends which way around you create it. If you do it the way I described, then I believe it will throw out all current members of the SophosAdministrator group. If you want to do it the other way around (so users are not thrown out of the local group), you'd have to:

*Create a Restricted Groups policy called DOMAIN\Administrator, and make that policy a 'Member Of' of the SophosAdministrator group.
*Repeat, except for DOMAIN\Domain Admins.

> Should this GPO be only for computers?

Yes. It's a computer-specific setting so won't work if applies to User objects.

> Will there be any issues if the domain controllers are listed in the same OU

No. DCs can't have local groups, so it won't have any effect on them (although could possibly cause an error message to be triggered to that effect).

-Matt
0
 
bsharathAuthor Commented:
Thanks...
If by chance anything fails will there be errors on the clients?

How long will it take t replicate on the clients

I have my default policy on the top of the OU structure. if i apply this there will it take effect on all the below .

Should i have the policy selected to enforce?
0
 
bsharathAuthor Commented:
Thanks...
If by chance anything fails will there be errors on the clients?

How long will it take t replicate on the clients

I have my default policy on the top of the OU structure. if i apply this there will it take effect on all the below .

Should i have the policy selected to enforce?
0
 
Mike KlineCommented:
Just a suggestion,
I'd only apply it to a few machines first so you can get a feel for the policy and how it works.  Basically a pilot group before making a domain wide change
..,yes if you set it at the OU level it will affect all machines in that OU.
Thanks
Mike
0
 
bsharathAuthor Commented:
How can i force it happen immediately on the clients
0
 
bsharathAuthor Commented:
How can i force it happen immediately on the clients
0
 
Mike KlineCommented:
gpupdate /force
0
 
bsharathAuthor Commented:
This did not do it..

Restarted 3 times
Gpupdate /force 3 times
Rsop.msc shows red mark
0
 
smashpmk712Commented:
another possible solution would be to add the posted code to a batch file and set it as the login script. this save you the confusion of using restricted groups.
net localgroup "local group name here"  /add "domain group name here"

Open in new window

0
 
tigermattCommented:

If rsop.msc is showing a red cross, something is fatally wrong with the deployment of Group Policy. That would be the reason why the Restricted Groups policy did not apply, and until you fixed the issue with GPO, Restricted Groups and many other policies will fail to run.

What Group Policy related events are logged in the Event Viewer?

-Matt
0
 
bsharathAuthor Commented:
I put 5 computer objects in the OU
2 show perfect but the group is not updated with the user
1 shows an exclamation mark
2 show red cross

In the system and DC event log shows this

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event 1030

no other events

i created a group called Sophosadministrator and added Domain\administrator in
member of this group

is all that right
0
 
bsharathAuthor Commented:
I put 5 computer objects in the OU
2 show perfect but the group is not updated with the user
1 shows an exclamation mark
2 show red cross

In the system and DC event log shows this

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event 1030

no other events

i created a group called Sophosadministrator and added Domain\administrator in
member of this group

is all that right
0
 
bsharathAuthor Commented:
Its as this

Security Settings
Restricted Groups
Group Members                                                    Member of
DEVELOPMENT\SophosAdministrator DEVELOPMENT\administrator
0
 
tigermattCommented:

The way you did it sounds correct. We can resolve issues with it applying later. The issue with 2 workstations not detecting it is more of a concern here.

What is the DNS Server IP on the failing workstations? DNS should be set to be resolved from one or more of your internal Domain Controllers which also runs the DNS Service. No ISP DNS Servers should be present here. Can you confirm this is the case?
0
 
tigermattCommented:
DEVELOPMENT is your domain, correct?

It looks like there's a mistake in the configuration. It should be:

Create the initial group in the Restricted Groups config. Create the initial restricted group as DOMAIN\Domain Admins. Then, edit this Restricted Group policy and add to the 'Member Of' the text 'SophosAdministrator' (without the DEVELOPMENT\ before it).

I'm pretty sure that will work. Does that look correct to you, Mike?

-Matt
0
 
bsharathAuthor Commented:
Should i select the enforce?
Faster ways to force the GPO?
0
 
bsharathAuthor Commented:
Should i select the enforce?
Faster ways to force the GPO?
0
 
tigermattCommented:
Enforcing the GPO will not cause it to update at the clients faster.

The only way you can get the clients to pick it up is to either wait for a background refresh, reboot them or run gpupdate /force. In the case of restricted groups policies I'd probably reboot them to kick it into action.

-Matt
0
 
bsharathAuthor Commented:
I just tried couple of restarts and few still show red and 2 got to the normal state when rsop and has the setting correct but the group has not beencleared and added with the new user we set.

What is the enforce used for.

0
 
bsharathAuthor Commented:
I just tried couple of restarts and few still show red and 2 got to the normal state when rsop and has the setting correct but the group has not beencleared and added with the new user we set.

What is the enforce used for.

0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 14
  • 6
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now