Improve company productivity with a Business Account.Sign Up

x
?
Solved

windows 7 security

Posted on 2011-02-25
4
Medium Priority
?
381 Views
Last Modified: 2012-05-11
I am going to upgrade all XPs (250 PCs) to windows 7 Enterprise 64 bit. I don't want to give local admin to everyone but one group called Lab. The thing is that I don't want Lab users to login on another computer to create any local admin users. Lab users can be only admin on their own computers. I will apply this with GPO to implement this but I am a bit confused how to do. I would like to to this with a minimum administration.
Any idea.
Thanks in advance
0
Comment
Question by:Ksean
4 Comments
 
LVL 1

Expert Comment

by:hQWeedEater
ID: 34980694
You could create a security group in AD and add the Lab team to the list. At that point you would only need to add that list to the local admin group of the PCs. That way only the Lap team can be admins on the Lap PCs and no where else.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34980710
Use restricted groups and set it to replace any users.

Mike will probably post his handy restricted groups link here any second.
0
 
LVL 4

Expert Comment

by:racastillojr
ID: 34980768
If all the computers are on the domain the lab people will have admin rights on every computer in the domain. The difference is, when they log in with their account, their own profile will show. You would have to set up the computers locally to restrict the rights for each computer.

Another thing, make sure that your XP computers hardware are 64 bit compatible.
0
 
LVL 39

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 34981013
Using group policy, you can create an AD group, i.e., "Lab Users," and then create a group policy that adds that AD group to the local admins group on the set of computers used by those Lab users. You would need to create a separate group policy and configure it so that it applies only to the computers that are used by those Lab users.  The easiest way to do this would be by creating a separate OU for the lab computers and then applying the group policy only to that OU.

The method of adding the Lab Users group to the local admins group is done using Restricted Groups. Within the group policy you've created for the Lab computers:

1. Go to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups.
2. Right-click and select "Add Group." Enter or browse and select the name of your AD group.
3. In the next dialog box, click "Add" next to the This group is a member of box, and then type "Administrators" and apply the change.

This will add the AD group to the local Administrators group on all of the computers in that OU.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
One thing I've always found frustrating is no matter how many times one asks the end users to not save things on their local machines, they do it anyway.  Forget that we don't back up the desktops - only the servers.  Well, let's sneak their data on…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question