Solved

windows 7 security

Posted on 2011-02-25
4
338 Views
Last Modified: 2012-05-11
I am going to upgrade all XPs (250 PCs) to windows 7 Enterprise 64 bit. I don't want to give local admin to everyone but one group called Lab. The thing is that I don't want Lab users to login on another computer to create any local admin users. Lab users can be only admin on their own computers. I will apply this with GPO to implement this but I am a bit confused how to do. I would like to to this with a minimum administration.
Any idea.
Thanks in advance
0
Comment
Question by:Ksean
4 Comments
 
LVL 1

Expert Comment

by:hQWeedEater
ID: 34980694
You could create a security group in AD and add the Lab team to the list. At that point you would only need to add that list to the local admin group of the PCs. That way only the Lap team can be admins on the Lap PCs and no where else.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34980710
Use restricted groups and set it to replace any users.

Mike will probably post his handy restricted groups link here any second.
0
 
LVL 4

Expert Comment

by:racastillojr
ID: 34980768
If all the computers are on the domain the lab people will have admin rights on every computer in the domain. The difference is, when they log in with their account, their own profile will show. You would have to set up the computers locally to restrict the rights for each computer.

Another thing, make sure that your XP computers hardware are 64 bit compatible.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 34981013
Using group policy, you can create an AD group, i.e., "Lab Users," and then create a group policy that adds that AD group to the local admins group on the set of computers used by those Lab users. You would need to create a separate group policy and configure it so that it applies only to the computers that are used by those Lab users.  The easiest way to do this would be by creating a separate OU for the lab computers and then applying the group policy only to that OU.

The method of adding the Lab Users group to the local admins group is done using Restricted Groups. Within the group policy you've created for the Lab computers:

1. Go to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups.
2. Right-click and select "Add Group." Enter or browse and select the name of your AD group.
3. In the next dialog box, click "Add" next to the This group is a member of box, and then type "Administrators" and apply the change.

This will add the AD group to the local Administrators group on all of the computers in that OU.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question