Solved

How to give a user local administrator permission on all client pc in AD?

Posted on 2009-04-13
14
519 Views
Last Modified: 2012-05-06
I just want to give a user local administrator permission on all client pc, but not any domain permission. I know I can just add the user manually in local admin group on each pc. How can I do this in AD?
0
Comment
Question by:bubuko
  • 5
  • 3
  • 3
  • +2
14 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 100 total points
ID: 24132910
you will have to use "restricted groups" in group policy to do this

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

0
 
LVL 117
ID: 24132913
One way

Create a Global Group in AD, Called Local PC Administrators. Add this Group Local PC Administrators to the Local Administrator account on the PCs. Then add users that you would like to be Local Administrators only to this AD group Local PC Administrators..
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 24133018
Restricted groups is definitely the way to go, you dont' want to do this manually on every box.
Another great link for restricted groups is here:
http://www.frickelsoft.net/blog/?p=13
Important note -- you can either add/append to what is there (which is what you want)   or you can wipe out what is in the group now and add the new group.
Florian does a good job of explaining it but just make sure you are adding.  I'd start with the policy on a few machines first just to get a feel for it before deploying it to all the machines.
Thanks
Mike
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 24135083
1. create a global group in the domain
2. add the users you want to have admin right to the PCs to the above global group
3. follow the URL provided by Mike from above to add this global group to all the PC by using restricted groups GPO.

The URL provided has all the necessary steps and with good explanation. As Mike suggested, the best way is to create the GPO and link it to a test OU with a few test machines to get familiar with it first.
0
 

Author Comment

by:bubuko
ID: 24139932
Thank you Mike!! the article is excellent!
And I also read the link that Akhater provides:

>>When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.

I think this paragraph is wrong, even I leave the member field empty, it still have its original member.

Lastly, I sucefully made it work by following the link mike provided. However, after I applied the GPO and then reboot the client pc, it didn't take effect for the first time...... then I had to run gpupdate/ force on both, then log back in the client, it works.... why?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24140177
I'm going to test the paragraph about leaving it blank (never tried that one).  I'll put the results on my blog (just started the blog)  http://adisfun.blogspot.com/
Thanks
Mike
0
 
LVL 18

Expert Comment

by:Americom
ID: 24140677
There is a chance that you reboot and logged on too quickly before all the IP and everthing get assigned and be applied. Of course this depending on your network enviornments as well as what gets loaded on your workstation etc.  If you wait a bit, it will eventually be applied, which is normal.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 49

Expert Comment

by:Akhater
ID: 24141910
After changing a group policy or changing the OU of a computer you will often find it needed to reboot twce for the new policies to be applied and take effect.

At the first boot the computer will know it has new policies to apply and the second boot it will actually apply them.

Of course leaving the computer running long enough for it to refresh its policies or run gpupdate will eliminate the need of one or both reboots (depending on the policies)
0
 

Author Comment

by:bubuko
ID: 24142443
>>At the first boot the computer will know it has new policies to apply and the second boot it will actually apply them.

Sounds very inefficient.... If I enable "Always waits for the network at computer startup and logon".... will this fix the problem?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24142756
>>Sounds very inefficient....<<

actually it is to make the computer boot faster

You are facing this problem only because you are testing, creating a policy (or changing a computer from OU to another) and directly rebooting.

In a day to day operation GPO will get refresh by the computer periodically (as if you had gpupdate run) and the computer will have its new policies applied

>>If I enable "Always waits for the network at computer startup and logon".... will this fix the problem?<<

I am not sure but I really doubt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142861
BTW, the suggestion "Always wait for the netowork..." is not an good idea in my experience. It will take too long due to many reaons that has nothing to do with your active directory, it may even be the configuration of the switch where the machine are plugged in, DHCP is down and cannot assign an IP,  etc. It is not necessary to force all users to have this policy set as enabled.

By default, Windows XP logs a user on in asynchronous mode. Group Policy is then applied in the background after the user is logged on. This results in faster logons.

In situations where you need for users to receive software, implement folder redirection, or run new scripts in a single logon, then you may apply a GPO with the setting Always wait for the network at computer startup and logon to the computer. For this setting to take effect, Group Policy must be refreshed or the computer restarted. This decision also depending on how you want your users to react to the logon time....


0
 
LVL 18

Expert Comment

by:Americom
ID: 24142892
To clarify, it really depending on how your network enviornment structured and configured that could have an impact on user logon time. Expecially on enviornment that has an internal network, guest network, port authentication, usually the more secure the more dependencies there is..
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142983
Need more clarification
<<BTW, the suggestion "Always wait for the netowork..." is not an good idea in my experience. It will take too long due to many reaons that has nothing to do with your active directory, it may even be the configuration of the switch where the machine are plugged in, DHCP is down and cannot assign an IP,  etc. It is not necessary to force all users to have this policy set as enabled.>>

Let me rephase this--"Always wait for the network" is not an bad idea if it's needed. But it should be used.
This means in your case for restriced group, it's not a must have in the first reboot so it won't be necessary.

Also, in a complex environment, there may be network configuration that required a computer account authentication and later a user authentication before the users gets put in a dedicated subnet to have certain things fully functional. Sometime for wireless is even more restricted could also slow down the process...but keep in mind that computer GPO gets refresh every 90 minutes and your restricted group GPO should not be a concern.
0
 

Author Comment

by:bubuko
ID: 24153699
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now