Solved

How to give a user local administrator permission on all client pc in AD?

Posted on 2009-04-13
14
524 Views
Last Modified: 2012-05-06
I just want to give a user local administrator permission on all client pc, but not any domain permission. I know I can just add the user manually in local admin group on each pc. How can I do this in AD?
0
Comment
Question by:bubuko
  • 5
  • 3
  • 3
  • +2
14 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 100 total points
ID: 24132910
you will have to use "restricted groups" in group policy to do this

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

0
 
LVL 119
ID: 24132913
One way

Create a Global Group in AD, Called Local PC Administrators. Add this Group Local PC Administrators to the Local Administrator account on the PCs. Then add users that you would like to be Local Administrators only to this AD group Local PC Administrators..
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 24133018
Restricted groups is definitely the way to go, you dont' want to do this manually on every box.
Another great link for restricted groups is here:
http://www.frickelsoft.net/blog/?p=13
Important note -- you can either add/append to what is there (which is what you want)   or you can wipe out what is in the group now and add the new group.
Florian does a good job of explaining it but just make sure you are adding.  I'd start with the policy on a few machines first just to get a feel for it before deploying it to all the machines.
Thanks
Mike
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 24135083
1. create a global group in the domain
2. add the users you want to have admin right to the PCs to the above global group
3. follow the URL provided by Mike from above to add this global group to all the PC by using restricted groups GPO.

The URL provided has all the necessary steps and with good explanation. As Mike suggested, the best way is to create the GPO and link it to a test OU with a few test machines to get familiar with it first.
0
 

Author Comment

by:bubuko
ID: 24139932
Thank you Mike!! the article is excellent!
And I also read the link that Akhater provides:

>>When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.

I think this paragraph is wrong, even I leave the member field empty, it still have its original member.

Lastly, I sucefully made it work by following the link mike provided. However, after I applied the GPO and then reboot the client pc, it didn't take effect for the first time...... then I had to run gpupdate/ force on both, then log back in the client, it works.... why?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24140177
I'm going to test the paragraph about leaving it blank (never tried that one).  I'll put the results on my blog (just started the blog)  http://adisfun.blogspot.com/
Thanks
Mike
0
 
LVL 18

Expert Comment

by:Americom
ID: 24140677
There is a chance that you reboot and logged on too quickly before all the IP and everthing get assigned and be applied. Of course this depending on your network enviornments as well as what gets loaded on your workstation etc.  If you wait a bit, it will eventually be applied, which is normal.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24141910
After changing a group policy or changing the OU of a computer you will often find it needed to reboot twce for the new policies to be applied and take effect.

At the first boot the computer will know it has new policies to apply and the second boot it will actually apply them.

Of course leaving the computer running long enough for it to refresh its policies or run gpupdate will eliminate the need of one or both reboots (depending on the policies)
0
 

Author Comment

by:bubuko
ID: 24142443
>>At the first boot the computer will know it has new policies to apply and the second boot it will actually apply them.

Sounds very inefficient.... If I enable "Always waits for the network at computer startup and logon".... will this fix the problem?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24142756
>>Sounds very inefficient....<<

actually it is to make the computer boot faster

You are facing this problem only because you are testing, creating a policy (or changing a computer from OU to another) and directly rebooting.

In a day to day operation GPO will get refresh by the computer periodically (as if you had gpupdate run) and the computer will have its new policies applied

>>If I enable "Always waits for the network at computer startup and logon".... will this fix the problem?<<

I am not sure but I really doubt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142861
BTW, the suggestion "Always wait for the netowork..." is not an good idea in my experience. It will take too long due to many reaons that has nothing to do with your active directory, it may even be the configuration of the switch where the machine are plugged in, DHCP is down and cannot assign an IP,  etc. It is not necessary to force all users to have this policy set as enabled.

By default, Windows XP logs a user on in asynchronous mode. Group Policy is then applied in the background after the user is logged on. This results in faster logons.

In situations where you need for users to receive software, implement folder redirection, or run new scripts in a single logon, then you may apply a GPO with the setting Always wait for the network at computer startup and logon to the computer. For this setting to take effect, Group Policy must be refreshed or the computer restarted. This decision also depending on how you want your users to react to the logon time....


0
 
LVL 18

Expert Comment

by:Americom
ID: 24142892
To clarify, it really depending on how your network enviornment structured and configured that could have an impact on user logon time. Expecially on enviornment that has an internal network, guest network, port authentication, usually the more secure the more dependencies there is..
0
 
LVL 18

Expert Comment

by:Americom
ID: 24142983
Need more clarification
<<BTW, the suggestion "Always wait for the netowork..." is not an good idea in my experience. It will take too long due to many reaons that has nothing to do with your active directory, it may even be the configuration of the switch where the machine are plugged in, DHCP is down and cannot assign an IP,  etc. It is not necessary to force all users to have this policy set as enabled.>>

Let me rephase this--"Always wait for the network" is not an bad idea if it's needed. But it should be used.
This means in your case for restriced group, it's not a must have in the first reboot so it won't be necessary.

Also, in a complex environment, there may be network configuration that required a computer account authentication and later a user authentication before the users gets put in a dedicated subnet to have certain things fully functional. Sometime for wireless is even more restricted could also slow down the process...but keep in mind that computer GPO gets refresh every 90 minutes and your restricted group GPO should not be a concern.
0
 

Author Comment

by:bubuko
ID: 24153699
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question