How to create a Group Policy in SBS 2008 server - to allow users admin access to local computers ?

OCUBE
OCUBE used Ask the Experts™
on



We have a Windows SBS 2008 Server (AD,DNS,exchange )
We have around 35 users in our network.
Every user has a network id to login to there computers.

We have to do a maintenance on the computers, which require admin access.

Instead of we logging manually to each pc as administrator, I wanted to temporarily create a Group Policy and apply it to the entire domain, so that every network user will have admin rights on there local computer.

How can I do this ? Please walk me through these steps on creating a GP on a windows SBS 2008 server.

This policy is only for a limited time, we will disable later once we are done with the maitenance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You want to add them to the administrators group NOT DOMAIN ADMINS GROUP
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
Take a look at this KB artical as it demonstrates how to add domain administrators group to local administrators. This will work for you all you need to do is change the domain administrators group to domain users and it should work.

http://support.microsoft.com/kb/555026

Also here is a link to create a GPO...
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html
http://trycatch.be/blogs/roggenk/archive/2007/07/25/windows-server-2008-amp-group-policy-management-console-gpmc.aspx

Hope this helps~!
Have a look here

http://serverfault.com/questions/79614/group-policy-administrator-rights-for-specific-users-on-specific-computers

If you want a way to do it without GPO, on the SBS create a group call Local Admin (or whatever you choose) and add all of your users. Go to the local machine, right click my computer and click manage. Go to users and groups and double click on groups. Double click on the administrators group and hit add and add the group you created on the server. Reboot and test

Author

Commented:


Is there any SBS 2008 default policy or some security settings which will not allow local network users to be part of the local admin group ?

Author

Commented:


The problem is:

When I manually log into the local computer as administrator and then give the network user
ADMIN rights , it will take the privileges.

But when I reboot the computer, the local network user is OFF the list.

So somehow either some SBS 2008 default policy is overriding it or removing the
network user as being part of administrator.

Commented:
network user or domain user im confused
Are you adding them to the administrators group under the username on the server first?
Top Expert 2012

Commented:
To add users to the local admin group you can use Restricted Groups GPO.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Top Expert 2013

Commented:
If you join computers to the domain properly using the http://SBSname/connectcomputer (SBS 2003) or http://connect (SBS2008) and assign a user, the user will automatically be made an administrator of their local machine.

If this was not done, you can use restricted groups as has been suggested or with SBS 2008 you can use the Window SBS console to view the computers to which a user has logon privileges and set them as a standard user or local administrator. To do so go to  Windows SBS console | Users and Groups | Users | user properties | computers | access level. The user will have to log off and back on for changes to be applied. This setting likely overrides the changes you are making manually on the PC's.
why dont you use the SBS server console click on the network tab, double click the computer, click user access and contol who has local admin privileges there?  

Author

Commented:


Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial