Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

AD Group Policy local admin group WinXP

I need to create an AD group "Select Local Admins" in which I will place user accounts that will be able to admin their own machines.
Once created, I intend to deploy a GPO to all machines, that will delete any  single accounts not in that group (Domain admins, Helpdesk groups will remain)
Whilst not 100% foolproof, the best solution i can think of is to add to "Select Admins group"
Username
&
dedicated workstation hostname

The condition will be that if the user AND their workstation are listed in the group, they will be granted admin rights.

How do I achieve this?
0
Danno2013
Asked:
Danno2013
2 Solutions
 
coolsport00Commented:
Are these "select" admins only going to log in to 1 PC? In other words, are these end users (like execs) you want to have Admin rights? I guess a bit more specific info is needed. But, if the above is true, and the select admins are in the same OU, just create a GPO and Add whatever Admins you want under:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\Administrators

If the 'select' group is throughout your organization, you can create the GPO and remove all users from the Delegation tab of the GPO and only add the specific AD security group you want (you can place the specific computers in a security group as well and add that to the security of your GP).

Regards.
~coolsport00
0
 
Danno2013Author Commented:
Yes - end users are to have admin rights on their workstations. The idea of adding their computer names to the group is to ensure that they are only allowed admin rights on those pcs (and those others in the group - this is unfortunate, but an acceptable risk)
Will your above solution meet that criteria?

0
 
tigermattCommented:

Hey,

Restricted Groups which was mentioned by the previous poster is what you are after. You will define a particular security group of users in Active Directory, then use a Restricted Groups set-up in a Group Policy to add that security group as a member of the 'Administrators' group.

By filtering the Group Policy, you can then control which computers will have the Restricted Groups policy applied - and therefore, which PCs the users in the security group gain Administrative rights to.

What becomes a little complicated is when you say you want users to have admin rights to their own workstations only. If this is the case, restricted groups is not suitable, because you would either be granting users administrative rights to many PCs, or you would need separate policies for every PC on the network. For adding users as Admins but only on their own PCs, the best (and only easy) route is to do this manually.

-Matt
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now