• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 379
  • Last Modified:

windows 7 security

I am going to upgrade all XPs (250 PCs) to windows 7 Enterprise 64 bit. I don't want to give local admin to everyone but one group called Lab. The thing is that I don't want Lab users to login on another computer to create any local admin users. Lab users can be only admin on their own computers. I will apply this with GPO to implement this but I am a bit confused how to do. I would like to to this with a minimum administration.
Any idea.
Thanks in advance
0
Ksean
Asked:
Ksean
1 Solution
 
hQWeedEaterCommented:
You could create a security group in AD and add the Lab team to the list. At that point you would only need to add that list to the local admin group of the PCs. That way only the Lap team can be admins on the Lap PCs and no where else.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Use restricted groups and set it to replace any users.

Mike will probably post his handy restricted groups link here any second.
0
 
racastillojrCommented:
If all the computers are on the domain the lab people will have admin rights on every computer in the domain. The difference is, when they log in with their account, their own profile will show. You would have to set up the computers locally to restrict the rights for each computer.

Another thing, make sure that your XP computers hardware are 64 bit compatible.
0
 
Hypercat (Deb)Commented:
Using group policy, you can create an AD group, i.e., "Lab Users," and then create a group policy that adds that AD group to the local admins group on the set of computers used by those Lab users. You would need to create a separate group policy and configure it so that it applies only to the computers that are used by those Lab users.  The easiest way to do this would be by creating a separate OU for the lab computers and then applying the group policy only to that OU.

The method of adding the Lab Users group to the local admins group is done using Restricted Groups. Within the group policy you've created for the Lab computers:

1. Go to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups.
2. Right-click and select "Add Group." Enter or browse and select the name of your AD group.
3. In the next dialog box, click "Add" next to the This group is a member of box, and then type "Administrators" and apply the change.

This will add the AD group to the local Administrators group on all of the computers in that OU.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now