Solved

AD Group Policy local admin group WinXP

Posted on 2009-04-04
3
409 Views
Last Modified: 2012-05-06
I need to create an AD group "Select Local Admins" in which I will place user accounts that will be able to admin their own machines.
Once created, I intend to deploy a GPO to all machines, that will delete any  single accounts not in that group (Domain admins, Helpdesk groups will remain)
Whilst not 100% foolproof, the best solution i can think of is to add to "Select Admins group"
Username
&
dedicated workstation hostname

The condition will be that if the user AND their workstation are listed in the group, they will be granted admin rights.

How do I achieve this?
0
Comment
Question by:Danno2013
3 Comments
 
LVL 40

Accepted Solution

by:
coolsport00 earned 250 total points
ID: 24069740
Are these "select" admins only going to log in to 1 PC? In other words, are these end users (like execs) you want to have Admin rights? I guess a bit more specific info is needed. But, if the above is true, and the select admins are in the same OU, just create a GPO and Add whatever Admins you want under:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups\Administrators

If the 'select' group is throughout your organization, you can create the GPO and remove all users from the Delegation tab of the GPO and only add the specific AD security group you want (you can place the specific computers in a security group as well and add that to the security of your GP).

Regards.
~coolsport00
0
 

Author Comment

by:Danno2013
ID: 24070510
Yes - end users are to have admin rights on their workstations. The idea of adding their computer names to the group is to ensure that they are only allowed admin rights on those pcs (and those others in the group - this is unfortunate, but an acceptable risk)
Will your above solution meet that criteria?

0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24070812

Hey,

Restricted Groups which was mentioned by the previous poster is what you are after. You will define a particular security group of users in Active Directory, then use a Restricted Groups set-up in a Group Policy to add that security group as a member of the 'Administrators' group.

By filtering the Group Policy, you can then control which computers will have the Restricted Groups policy applied - and therefore, which PCs the users in the security group gain Administrative rights to.

What becomes a little complicated is when you say you want users to have admin rights to their own workstations only. If this is the case, restricted groups is not suitable, because you would either be granting users administrative rights to many PCs, or you would need separate policies for every PC on the network. For adding users as Admins but only on their own PCs, the best (and only easy) route is to do this manually.

-Matt
0

Join & Write a Comment

Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now