Solved

AD Group Policy local admin group WinXP

Posted on 2009-04-04
3
413 Views
Last Modified: 2012-05-06
I need to create an AD group "Select Local Admins" in which I will place user accounts that will be able to admin their own machines.
Once created, I intend to deploy a GPO to all machines, that will delete any  single accounts not in that group (Domain admins, Helpdesk groups will remain)
Whilst not 100% foolproof, the best solution i can think of is to add to "Select Admins group"
Username
&
dedicated workstation hostname

The condition will be that if the user AND their workstation are listed in the group, they will be granted admin rights.

How do I achieve this?
0
Comment
Question by:Danno2013
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 40

Accepted Solution

by:
coolsport00 earned 250 total points
ID: 24069740
Are these "select" admins only going to log in to 1 PC? In other words, are these end users (like execs) you want to have Admin rights? I guess a bit more specific info is needed. But, if the above is true, and the select admins are in the same OU, just create a GPO and Add whatever Admins you want under:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\Administrators

If the 'select' group is throughout your organization, you can create the GPO and remove all users from the Delegation tab of the GPO and only add the specific AD security group you want (you can place the specific computers in a security group as well and add that to the security of your GP).

Regards.
~coolsport00
0
 

Author Comment

by:Danno2013
ID: 24070510
Yes - end users are to have admin rights on their workstations. The idea of adding their computer names to the group is to ensure that they are only allowed admin rights on those pcs (and those others in the group - this is unfortunate, but an acceptable risk)
Will your above solution meet that criteria?

0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24070812

Hey,

Restricted Groups which was mentioned by the previous poster is what you are after. You will define a particular security group of users in Active Directory, then use a Restricted Groups set-up in a Group Policy to add that security group as a member of the 'Administrators' group.

By filtering the Group Policy, you can then control which computers will have the Restricted Groups policy applied - and therefore, which PCs the users in the security group gain Administrative rights to.

What becomes a little complicated is when you say you want users to have admin rights to their own workstations only. If this is the case, restricted groups is not suitable, because you would either be granting users administrative rights to many PCs, or you would need separate policies for every PC on the network. For adding users as Admins but only on their own PCs, the best (and only easy) route is to do this manually.

-Matt
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question