Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 621
  • Last Modified:

How to add domain security group to local admin group of desktop pc using group policy

I would like to add a securitty group called technicians to the local admins group using group policy. I want set it so it is enforced on the computers OU and doesn't matter what pc the techs logs in to.
0
colmisdiv
Asked:
colmisdiv
  • 3
  • 2
  • 2
  • +3
1 Solution
 
innovatorengineerCommented:
If you are on Server 2008 and WIndows 7  I would recommend using Group policy preferences.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Preferences-Get-Them-Running-Today.html

If you are on Win 7 and Server 2008 r2 they are ready to go.
0
 
Mike KlineCommented:
You can do that using restricted groups.  Florian has a nice blog entry on it here

http://www.frickelsoft.net/blog/?p=13

Notice there are two ways.  If you want to add to what is there use the bottom box "this group is a mmeberof"

Test on a few machines to get a feel for it.

Thanks

Mike
0
 
pbraneCommented:
Hi,

All you need to do is create a restricted groups policy to add this group in.

This policy is absolute, so once it's in effect, it will remove all other groups that are in the administrators group, so with that in mind, you need to be careful to add the defaults back in again unless you don't actually want to.

I'm assuming you have the Group policy management console installed. Create your new policy by right clicking on the OU you require, and select create and link a GPO here, then right click this policy and edit it.

Expand Computer configuration > Windows Settings > Security Settings > Restricted Groups > right click and select Add group.

Browse for the administrators groups and click ok > select Add next to Members of this group and add back in the Administrator, Domain Admins and Enterprise Admins if this is a domain machine plus which ever accounts/groups you want to become a local admin as well.

Click OK and that’s the GPO configured.

If you want to enforce it, right click in the GPO attached to the OU you attached it to, and select enforced.

This should now amend the local Administrators group for any computers inside this OU.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
pbraneCommented:
Sorry, spent so long typing that, didn't realise there were other answers. Take your pick!

:-)
0
 
innovatorengineerCommented:
I have used both methods in the past and I personally (I say personally because with GP there are many ways to the same end)  like the preferences.  You can change passwords, expire accounts.....

But again, both methods work.

Quote from :  http://www.gpoguy.com/Portals/0/Group%20Policy%20Preferences%20Overview.pdf

 Local Users and Groups: This is both a per-computer and per-user extension that provides a variety of control around local user and group accounts. For example, you can use this extension to create a new local user on all of your desktop or server machines. But, more interestingly, you can also use this extension to update the passwords on existing accounts, like the local administrator, thereby giving you the ability to make periodic mass password changes to the local administrator account on all your machines. The passwords themselves are stored as 256-bit AES encrypted strings within the GPO’s setting storage in SYSVOL. This is true for all passwords that are supported in GPP, in fact. As for group management, think of this feature as a more flexible version of Restricted Groups policy. Within this GPP feature, you can create, delete and update existing groups and their members. You can rename groups, you can delete all members from groups and you can add/remove members from groups.
0
 
bigstylerCommented:
Just for information Microsoft doe not support the configuration of domain groups membership through restricted groups.
0
 
Netman66Commented:
Use Restricted Groups - Member Of section.  This will only add your group to the local Admin group and NOT remove or enforce any other member of the Administrators local group.

Doing it this way ensures you don't remove any members that need to be there, but it will add your group and guarantee it stays there.

0
 
Netman66Commented:
Steps are as follows:

On an OU that contains all your PCs, create a new GPO or use and existing one (not the Default Domain Policy or Default Domain Controllers Policy).
In Computer Config>Windows Settings>Security Settings
Right click Restricted Groups and select Add Group.
Browse to your Domain group that you want to add.
Press OK.
In the next window, in the lower pane (this group is a member of), press Add.
Manually type: Administrators.
OK your way out.

Your domain group will now get added to the local Administrators group on each PC when they refresh their policies (maximum 90 minutes to all machines).

0
 
colmisdivAuthor Commented:
My apologies to everyone. It is the default computer container that containes the pc's when they come on the domain. Will full privledges delegation work?
0
 
Mike KlineCommented:
You can't link a GPO to a container.  You can only link at the site, domain, OU levels.

You can user something like redircmp so that new PCs go to a an OU you pick   http://technet.microsoft.com/en-us/library/cc778209(WS.10).aspx

...then link the GPO with the restricted groups to that GPO.

There are other ways to link at the domain and use security filtering but that can get messy.

Thanks

Mike
0
 
colmisdivAuthor Commented:
I have an special anti-virus ou with some pc's in there. so I appled netman66 suggestion to it and waiting to see if it works. I was trying to avoid moving all my pc's to the OU i created.
0
 
colmisdivAuthor Commented:
Works exactly as requested.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now