Solved

How to add domain security group to local admin group of desktop pc using group policy

Posted on 2011-03-16
12
604 Views
Last Modified: 2012-05-11
I would like to add a securitty group called technicians to the local admins group using group policy. I want set it so it is enforced on the computers OU and doesn't matter what pc the techs logs in to.
0
Comment
Question by:colmisdiv
  • 3
  • 2
  • 2
  • +3
12 Comments
 
LVL 4

Expert Comment

by:innovatorengineer
Comment Utility
If you are on Server 2008 and WIndows 7  I would recommend using Group policy preferences.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Preferences-Get-Them-Running-Today.html

If you are on Win 7 and Server 2008 r2 they are ready to go.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You can do that using restricted groups.  Florian has a nice blog entry on it here

http://www.frickelsoft.net/blog/?p=13

Notice there are two ways.  If you want to add to what is there use the bottom box "this group is a mmeberof"

Test on a few machines to get a feel for it.

Thanks

Mike
0
 
LVL 4

Expert Comment

by:pbrane
Comment Utility
Hi,

All you need to do is create a restricted groups policy to add this group in.

This policy is absolute, so once it's in effect, it will remove all other groups that are in the administrators group, so with that in mind, you need to be careful to add the defaults back in again unless you don't actually want to.

I'm assuming you have the Group policy management console installed. Create your new policy by right clicking on the OU you require, and select create and link a GPO here, then right click this policy and edit it.

Expand Computer configuration > Windows Settings > Security Settings > Restricted Groups > right click and select Add group.

Browse for the administrators groups and click ok > select Add next to Members of this group and add back in the Administrator, Domain Admins and Enterprise Admins if this is a domain machine plus which ever accounts/groups you want to become a local admin as well.

Click OK and that’s the GPO configured.

If you want to enforce it, right click in the GPO attached to the OU you attached it to, and select enforced.

This should now amend the local Administrators group for any computers inside this OU.

0
 
LVL 4

Expert Comment

by:pbrane
Comment Utility
Sorry, spent so long typing that, didn't realise there were other answers. Take your pick!

:-)
0
 
LVL 4

Expert Comment

by:innovatorengineer
Comment Utility
I have used both methods in the past and I personally (I say personally because with GP there are many ways to the same end)  like the preferences.  You can change passwords, expire accounts.....

But again, both methods work.

Quote from :  http://www.gpoguy.com/Portals/0/Group%20Policy%20Preferences%20Overview.pdf

 Local Users and Groups: This is both a per-computer and per-user extension that provides a variety of control around local user and group accounts. For example, you can use this extension to create a new local user on all of your desktop or server machines. But, more interestingly, you can also use this extension to update the passwords on existing accounts, like the local administrator, thereby giving you the ability to make periodic mass password changes to the local administrator account on all your machines. The passwords themselves are stored as 256-bit AES encrypted strings within the GPO’s setting storage in SYSVOL. This is true for all passwords that are supported in GPP, in fact. As for group management, think of this feature as a more flexible version of Restricted Groups policy. Within this GPP feature, you can create, delete and update existing groups and their members. You can rename groups, you can delete all members from groups and you can add/remove members from groups.
0
 
LVL 4

Expert Comment

by:bigstyler
Comment Utility
Just for information Microsoft doe not support the configuration of domain groups membership through restricted groups.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Use Restricted Groups - Member Of section.  This will only add your group to the local Admin group and NOT remove or enforce any other member of the Administrators local group.

Doing it this way ensures you don't remove any members that need to be there, but it will add your group and guarantee it stays there.

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
Steps are as follows:

On an OU that contains all your PCs, create a new GPO or use and existing one (not the Default Domain Policy or Default Domain Controllers Policy).
In Computer Config>Windows Settings>Security Settings
Right click Restricted Groups and select Add Group.
Browse to your Domain group that you want to add.
Press OK.
In the next window, in the lower pane (this group is a member of), press Add.
Manually type: Administrators.
OK your way out.

Your domain group will now get added to the local Administrators group on each PC when they refresh their policies (maximum 90 minutes to all machines).

0
 

Author Comment

by:colmisdiv
Comment Utility
My apologies to everyone. It is the default computer container that containes the pc's when they come on the domain. Will full privledges delegation work?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You can't link a GPO to a container.  You can only link at the site, domain, OU levels.

You can user something like redircmp so that new PCs go to a an OU you pick   http://technet.microsoft.com/en-us/library/cc778209(WS.10).aspx

...then link the GPO with the restricted groups to that GPO.

There are other ways to link at the domain and use security filtering but that can get messy.

Thanks

Mike
0
 

Author Comment

by:colmisdiv
Comment Utility
I have an special anti-virus ou with some pc's in there. so I appled netman66 suggestion to it and waiting to see if it works. I was trying to avoid moving all my pc's to the OU i created.
0
 

Author Closing Comment

by:colmisdiv
Comment Utility
Works exactly as requested.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now