Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to give a user local administrator permission on all client pc in AD?

Posted on 2009-04-13
14
Medium Priority
?
536 Views
Last Modified: 2012-05-06
I just want to give a user local administrator permission on all client pc, but not any domain permission. I know I can just add the user manually in local admin group on each pc. How can I do this in AD?
0
Comment
Question by:bubuko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +2
14 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 400 total points
ID: 24132910
you will have to use "restricted groups" in group policy to do this

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

0
 
LVL 123
ID: 24132913
One way

Create a Global Group in AD, Called Local PC Administrators. Add this Group Local PC Administrators to the Local Administrator account on the PCs. Then add users that you would like to be Local Administrators only to this AD group Local PC Administrators..
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 24133018
Restricted groups is definitely the way to go, you dont' want to do this manually on every box.
Another great link for restricted groups is here:
http://www.frickelsoft.net/blog/?p=13
Important note -- you can either add/append to what is there (which is what you want)   or you can wipe out what is in the group now and add the new group.
Florian does a good job of explaining it but just make sure you are adding.  I'd start with the policy on a few machines first just to get a feel for it before deploying it to all the machines.
Thanks
Mike
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 18

Assisted Solution

by:Americom
Americom earned 200 total points
ID: 24135083
1. create a global group in the domain
2. add the users you want to have admin right to the PCs to the above global group
3. follow the URL provided by Mike from above to add this global group to all the PC by using restricted groups GPO.

The URL provided has all the necessary steps and with good explanation. As Mike suggested, the best way is to create the GPO and link it to a test OU with a few test machines to get familiar with it first.
0
 

Author Comment

by:bubuko
ID: 24139932
Thank you Mike!! the article is excellent!
And I also read the link that Akhater provides:

>>When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.

I think this paragraph is wrong, even I leave the member field empty, it still have its original member.

Lastly, I sucefully made it work by following the link mike provided. However, after I applied the GPO and then reboot the client pc, it didn't take effect for the first time...... then I had to run gpupdate/ force on both, then log back in the client, it works.... why?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24140177
I'm going to test the paragraph about leaving it blank (never tried that one).  I'll put the results on my blog (just started the blog)  http://adisfun.blogspot.com/
Thanks
Mike
0
 
LVL 18

Expert Comment

by:Americom
ID: 24140677
There is a chance that you reboot and logged on too quickly before all the IP and everthing get assigned and be applied. Of course this depending on your network enviornments as well as what gets loaded on your workstation etc.  If you wait a bit, it will eventually be applied, which is normal.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24141910
After changing a group policy or changing the OU of a computer you will often find it needed to reboot twce for the new policies to be applied and take effect.

At the first boot the computer will know it has new policies to apply and the second boot it will actually apply them.

Of course leaving the computer running long enough for it to refresh its policies or run gpupdate will eliminate the need of one or both reboots (depending on the policies)
0
 

Author Comment

by:bubuko
ID: 24142443
>>At the first boot the computer will know it has new policies to apply and the second boot it will actually apply them.

Sounds very inefficient.... If I enable "Always waits for the network at computer startup and logon".... will this fix the problem?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24142756
>>Sounds very inefficient....<<

actually it is to make the computer boot faster

You are facing this problem only because you are testing, creating a policy (or changing a computer from OU to another) and directly rebooting.

In a day to day operation GPO will get refresh by the computer periodically (as if you had gpupdate run) and the computer will have its new policies applied

>>If I enable "Always waits for the network at computer startup and logon".... will this fix the problem?<<

I am not sure but I really doubt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142861
BTW, the suggestion "Always wait for the netowork..." is not an good idea in my experience. It will take too long due to many reaons that has nothing to do with your active directory, it may even be the configuration of the switch where the machine are plugged in, DHCP is down and cannot assign an IP,  etc. It is not necessary to force all users to have this policy set as enabled.

By default, Windows XP logs a user on in asynchronous mode. Group Policy is then applied in the background after the user is logged on. This results in faster logons.

In situations where you need for users to receive software, implement folder redirection, or run new scripts in a single logon, then you may apply a GPO with the setting Always wait for the network at computer startup and logon to the computer. For this setting to take effect, Group Policy must be refreshed or the computer restarted. This decision also depending on how you want your users to react to the logon time....


0
 
LVL 18

Expert Comment

by:Americom
ID: 24142892
To clarify, it really depending on how your network enviornment structured and configured that could have an impact on user logon time. Expecially on enviornment that has an internal network, guest network, port authentication, usually the more secure the more dependencies there is..
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142983
Need more clarification
<<BTW, the suggestion "Always wait for the netowork..." is not an good idea in my experience. It will take too long due to many reaons that has nothing to do with your active directory, it may even be the configuration of the switch where the machine are plugged in, DHCP is down and cannot assign an IP,  etc. It is not necessary to force all users to have this policy set as enabled.>>

Let me rephase this--"Always wait for the network" is not an bad idea if it's needed. But it should be used.
This means in your case for restriced group, it's not a must have in the first reboot so it won't be necessary.

Also, in a complex environment, there may be network configuration that required a computer account authentication and later a user authentication before the users gets put in a dedicated subnet to have certain things fully functional. Sometime for wireless is even more restricted could also slow down the process...but keep in mind that computer GPO gets refresh every 90 minutes and your restricted group GPO should not be a concern.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question