Solved

AD Group Policy local admin group WinXP

Posted on 2009-04-04
3
412 Views
Last Modified: 2012-05-06
I need to create an AD group "Select Local Admins" in which I will place user accounts that will be able to admin their own machines.
Once created, I intend to deploy a GPO to all machines, that will delete any  single accounts not in that group (Domain admins, Helpdesk groups will remain)
Whilst not 100% foolproof, the best solution i can think of is to add to "Select Admins group"
Username
&
dedicated workstation hostname

The condition will be that if the user AND their workstation are listed in the group, they will be granted admin rights.

How do I achieve this?
0
Comment
Question by:Danno2013
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 40

Accepted Solution

by:
coolsport00 earned 250 total points
ID: 24069740
Are these "select" admins only going to log in to 1 PC? In other words, are these end users (like execs) you want to have Admin rights? I guess a bit more specific info is needed. But, if the above is true, and the select admins are in the same OU, just create a GPO and Add whatever Admins you want under:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\Administrators

If the 'select' group is throughout your organization, you can create the GPO and remove all users from the Delegation tab of the GPO and only add the specific AD security group you want (you can place the specific computers in a security group as well and add that to the security of your GP).

Regards.
~coolsport00
0
 

Author Comment

by:Danno2013
ID: 24070510
Yes - end users are to have admin rights on their workstations. The idea of adding their computer names to the group is to ensure that they are only allowed admin rights on those pcs (and those others in the group - this is unfortunate, but an acceptable risk)
Will your above solution meet that criteria?

0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24070812

Hey,

Restricted Groups which was mentioned by the previous poster is what you are after. You will define a particular security group of users in Active Directory, then use a Restricted Groups set-up in a Group Policy to add that security group as a member of the 'Administrators' group.

By filtering the Group Policy, you can then control which computers will have the Restricted Groups policy applied - and therefore, which PCs the users in the security group gain Administrative rights to.

What becomes a little complicated is when you say you want users to have admin rights to their own workstations only. If this is the case, restricted groups is not suitable, because you would either be granting users administrative rights to many PCs, or you would need separate policies for every PC on the network. For adding users as Admins but only on their own PCs, the best (and only easy) route is to do this manually.

-Matt
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SCCM Active Directory Audit functions 2 27
EXCHANGE, ACTIVE DIRECTORY 4 46
Change local account password via GPO? 34 67
Managing Active Directory tasks 4 30
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question