Solved

Can't properly add local admins with Group Policy

Posted on 2011-03-03
4
464 Views
Last Modified: 2012-05-11
Hi there

I'm trying to give a handful of users Local Admin rights on all machines at an office.  I have created a group on the server (Server 2003 R2) and added a few members to it.  I created a GPO and set up Restricted Groups...  i configured the Administrator group and added the group I created earlier.

Now when I log onto a workstation (XP or Windows 764 bit) , I go to view the users and my group is not listed.  I then go to the Advanced tab, click on the Advanced button and when I go to Groups and Select Administrators, the group I created IS a member.

However when I log on to the machine as one of the members of that group, they still do not have Local Admin rights.

Any suggestions would be appreciated.

Thanks
0
Comment
Question by:stormstar
  • 2
4 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 35027788
Using the route you seem to have gone, this will mean that the GPO will clear the existing Builtin\Administrators group and will add the user you list.

Double check the entry, the other option using restricted groups is to use the
domain\group is a member of builtin\Administrators group.
This will append the group into the local administrators group.

Double check where this GPO applies and whether there is another GPO that superceeds it.

There might be an exclusionary rule where the group members are members of another group which is restricted from having local admin rights.

use GPMC to get the group policy results and see what affects the rights of group members on a specific system.
0
 
LVL 12

Assisted Solution

by:Dave
Dave earned 250 total points
ID: 35039490
Not sure why you expect your group to be listed on the workstation. It needs to be an active directory group, and the workstation only shows local groups.

 It can't be a local group becuase the GPO contains the SID/GUID of the group not the name. When you define local groups on multiple workstations they all have unique SIDs even if they have the same name.

Note that groups like the local administrators groups all have the same SID on all workstations.
See:-

http://support.microsoft.com/kb/243330

for a list.

If your group is listed in the local administrators group, then users have administrator rights on the workstation, but if user account control is on on Windows/7 the token will be stripped. How do you know the users don't have admin rights?
0
 

Author Comment

by:stormstar
ID: 35041352
Thanks for the info guys.  I actually ended up taking a different route that suited this environment better.

Both of you made very good points so I am splitting the points between you both.

Thanks
0
 

Author Closing Comment

by:stormstar
ID: 35041358
Both comments were accurate etc, but I was not able to continue through with testing as a better\alternate method was found.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now