Solved

How to add domain security group to local admin group of desktop pc using group policy

Posted on 2011-03-16
12
606 Views
Last Modified: 2012-05-11
I would like to add a securitty group called technicians to the local admins group using group policy. I want set it so it is enforced on the computers OU and doesn't matter what pc the techs logs in to.
0
Comment
Question by:colmisdiv
  • 3
  • 2
  • 2
  • +3
12 Comments
 
LVL 4

Expert Comment

by:innovatorengineer
ID: 35151191
If you are on Server 2008 and WIndows 7  I would recommend using Group policy preferences.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Preferences-Get-Them-Running-Today.html

If you are on Win 7 and Server 2008 r2 they are ready to go.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35151192
You can do that using restricted groups.  Florian has a nice blog entry on it here

http://www.frickelsoft.net/blog/?p=13

Notice there are two ways.  If you want to add to what is there use the bottom box "this group is a mmeberof"

Test on a few machines to get a feel for it.

Thanks

Mike
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35151240
Hi,

All you need to do is create a restricted groups policy to add this group in.

This policy is absolute, so once it's in effect, it will remove all other groups that are in the administrators group, so with that in mind, you need to be careful to add the defaults back in again unless you don't actually want to.

I'm assuming you have the Group policy management console installed. Create your new policy by right clicking on the OU you require, and select create and link a GPO here, then right click this policy and edit it.

Expand Computer configuration > Windows Settings > Security Settings > Restricted Groups > right click and select Add group.

Browse for the administrators groups and click ok > select Add next to Members of this group and add back in the Administrator, Domain Admins and Enterprise Admins if this is a domain machine plus which ever accounts/groups you want to become a local admin as well.

Click OK and that’s the GPO configured.

If you want to enforce it, right click in the GPO attached to the OU you attached it to, and select enforced.

This should now amend the local Administrators group for any computers inside this OU.

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 4

Expert Comment

by:pbrane
ID: 35151248
Sorry, spent so long typing that, didn't realise there were other answers. Take your pick!

:-)
0
 
LVL 4

Expert Comment

by:innovatorengineer
ID: 35151336
I have used both methods in the past and I personally (I say personally because with GP there are many ways to the same end)  like the preferences.  You can change passwords, expire accounts.....

But again, both methods work.

Quote from :  http://www.gpoguy.com/Portals/0/Group%20Policy%20Preferences%20Overview.pdf

 Local Users and Groups: This is both a per-computer and per-user extension that provides a variety of control around local user and group accounts. For example, you can use this extension to create a new local user on all of your desktop or server machines. But, more interestingly, you can also use this extension to update the passwords on existing accounts, like the local administrator, thereby giving you the ability to make periodic mass password changes to the local administrator account on all your machines. The passwords themselves are stored as 256-bit AES encrypted strings within the GPO’s setting storage in SYSVOL. This is true for all passwords that are supported in GPP, in fact. As for group management, think of this feature as a more flexible version of Restricted Groups policy. Within this GPP feature, you can create, delete and update existing groups and their members. You can rename groups, you can delete all members from groups and you can add/remove members from groups.
0
 
LVL 4

Expert Comment

by:bigstyler
ID: 35152617
Just for information Microsoft doe not support the configuration of domain groups membership through restricted groups.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35156875
Use Restricted Groups - Member Of section.  This will only add your group to the local Admin group and NOT remove or enforce any other member of the Administrators local group.

Doing it this way ensures you don't remove any members that need to be there, but it will add your group and guarantee it stays there.

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 35156918
Steps are as follows:

On an OU that contains all your PCs, create a new GPO or use and existing one (not the Default Domain Policy or Default Domain Controllers Policy).
In Computer Config>Windows Settings>Security Settings
Right click Restricted Groups and select Add Group.
Browse to your Domain group that you want to add.
Press OK.
In the next window, in the lower pane (this group is a member of), press Add.
Manually type: Administrators.
OK your way out.

Your domain group will now get added to the local Administrators group on each PC when they refresh their policies (maximum 90 minutes to all machines).

0
 

Author Comment

by:colmisdiv
ID: 35159975
My apologies to everyone. It is the default computer container that containes the pc's when they come on the domain. Will full privledges delegation work?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35160031
You can't link a GPO to a container.  You can only link at the site, domain, OU levels.

You can user something like redircmp so that new PCs go to a an OU you pick   http://technet.microsoft.com/en-us/library/cc778209(WS.10).aspx

...then link the GPO with the restricted groups to that GPO.

There are other ways to link at the domain and use security filtering but that can get messy.

Thanks

Mike
0
 

Author Comment

by:colmisdiv
ID: 35160069
I have an special anti-virus ou with some pc's in there. so I appled netman66 suggestion to it and waiting to see if it works. I was trying to avoid moving all my pc's to the OU i created.
0
 

Author Closing Comment

by:colmisdiv
ID: 35323247
Works exactly as requested.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question