Link to home
Start Free TrialLog in
Avatar of colmisdiv
colmisdiv

asked on

How to add domain security group to local admin group of desktop pc using group policy

I would like to add a securitty group called technicians to the local admins group using group policy. I want set it so it is enforced on the computers OU and doesn't matter what pc the techs logs in to.
Avatar of innovatorengineer
innovatorengineer
Flag of United States of America image

If you are on Server 2008 and WIndows 7  I would recommend using Group policy preferences.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Preferences-Get-Them-Running-Today.html

If you are on Win 7 and Server 2008 r2 they are ready to go.
Avatar of Mike Kline
You can do that using restricted groups.  Florian has a nice blog entry on it here

http://www.frickelsoft.net/blog/?p=13

Notice there are two ways.  If you want to add to what is there use the bottom box "this group is a mmeberof"

Test on a few machines to get a feel for it.

Thanks

Mike
Avatar of pbrane
pbrane

Hi,

All you need to do is create a restricted groups policy to add this group in.

This policy is absolute, so once it's in effect, it will remove all other groups that are in the administrators group, so with that in mind, you need to be careful to add the defaults back in again unless you don't actually want to.

I'm assuming you have the Group policy management console installed. Create your new policy by right clicking on the OU you require, and select create and link a GPO here, then right click this policy and edit it.

Expand Computer configuration > Windows Settings > Security Settings > Restricted Groups > right click and select Add group.

Browse for the administrators groups and click ok > select Add next to Members of this group and add back in the Administrator, Domain Admins and Enterprise Admins if this is a domain machine plus which ever accounts/groups you want to become a local admin as well.

Click OK and that’s the GPO configured.

If you want to enforce it, right click in the GPO attached to the OU you attached it to, and select enforced.

This should now amend the local Administrators group for any computers inside this OU.

Sorry, spent so long typing that, didn't realise there were other answers. Take your pick!

:-)
I have used both methods in the past and I personally (I say personally because with GP there are many ways to the same end)  like the preferences.  You can change passwords, expire accounts.....

But again, both methods work.

Quote from :  http://www.gpoguy.com/Portals/0/Group%20Policy%20Preferences%20Overview.pdf

 Local Users and Groups: This is both a per-computer and per-user extension that provides a variety of control around local user and group accounts. For example, you can use this extension to create a new local user on all of your desktop or server machines. But, more interestingly, you can also use this extension to update the passwords on existing accounts, like the local administrator, thereby giving you the ability to make periodic mass password changes to the local administrator account on all your machines. The passwords themselves are stored as 256-bit AES encrypted strings within the GPO’s setting storage in SYSVOL. This is true for all passwords that are supported in GPP, in fact. As for group management, think of this feature as a more flexible version of Restricted Groups policy. Within this GPP feature, you can create, delete and update existing groups and their members. You can rename groups, you can delete all members from groups and you can add/remove members from groups.
Just for information Microsoft doe not support the configuration of domain groups membership through restricted groups.
Use Restricted Groups - Member Of section.  This will only add your group to the local Admin group and NOT remove or enforce any other member of the Administrators local group.

Doing it this way ensures you don't remove any members that need to be there, but it will add your group and guarantee it stays there.

ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of colmisdiv

ASKER

My apologies to everyone. It is the default computer container that containes the pc's when they come on the domain. Will full privledges delegation work?
You can't link a GPO to a container.  You can only link at the site, domain, OU levels.

You can user something like redircmp so that new PCs go to a an OU you pick   http://technet.microsoft.com/en-us/library/cc778209(WS.10).aspx

...then link the GPO with the restricted groups to that GPO.

There are other ways to link at the domain and use security filtering but that can get messy.

Thanks

Mike
I have an special anti-virus ou with some pc's in there. so I appled netman66 suggestion to it and waiting to see if it works. I was trying to avoid moving all my pc's to the OU i created.
Works exactly as requested.