[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 472
  • Last Modified:

Can't properly add local admins with Group Policy

Hi there

I'm trying to give a handful of users Local Admin rights on all machines at an office.  I have created a group on the server (Server 2003 R2) and added a few members to it.  I created a GPO and set up Restricted Groups...  i configured the Administrator group and added the group I created earlier.

Now when I log onto a workstation (XP or Windows 764 bit) , I go to view the users and my group is not listed.  I then go to the Advanced tab, click on the Advanced button and when I go to Groups and Select Administrators, the group I created IS a member.

However when I log on to the machine as one of the members of that group, they still do not have Local Admin rights.

Any suggestions would be appreciated.

Thanks
0
stormstar
Asked:
stormstar
  • 2
2 Solutions
 
arnoldCommented:
Using the route you seem to have gone, this will mean that the GPO will clear the existing Builtin\Administrators group and will add the user you list.

Double check the entry, the other option using restricted groups is to use the
domain\group is a member of builtin\Administrators group.
This will append the group into the local administrators group.

Double check where this GPO applies and whether there is another GPO that superceeds it.

There might be an exclusionary rule where the group members are members of another group which is restricted from having local admin rights.

use GPMC to get the group policy results and see what affects the rights of group members on a specific system.
0
 
DaveCommented:
Not sure why you expect your group to be listed on the workstation. It needs to be an active directory group, and the workstation only shows local groups.

 It can't be a local group becuase the GPO contains the SID/GUID of the group not the name. When you define local groups on multiple workstations they all have unique SIDs even if they have the same name.

Note that groups like the local administrators groups all have the same SID on all workstations.
See:-

http://support.microsoft.com/kb/243330

for a list.

If your group is listed in the local administrators group, then users have administrator rights on the workstation, but if user account control is on on Windows/7 the token will be stripped. How do you know the users don't have admin rights?
0
 
stormstarAuthor Commented:
Thanks for the info guys.  I actually ended up taking a different route that suited this environment better.

Both of you made very good points so I am splitting the points between you both.

Thanks
0
 
stormstarAuthor Commented:
Both comments were accurate etc, but I was not able to continue through with testing as a better\alternate method was found.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now