Solved

Create GPO to automatically set new users as local admin on client machine

Posted on 2011-03-20
8
1,118 Views
Last Modified: 2012-05-11
I would like for my new users to automatically be administrators on their client machine.  I've been unsuccessful in creating that GPO.  I don't know where to start.  Could someone give me a step by step on this one?  Click here, type there, click this....etc.  

This is the only domain controller.  It's a small office with 4 users that plans on expanding and I don't want to have to individually assign those local rights each time I add a user.  There must be a way!  LOL

Thanks!
Rexx
0
Comment
Question by:rexxnet
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35175391
There has always been restricted groups using group policy.  Since you are on 2008 you can also use group policy preferences to do this.   Alan has a very good blog entry   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Let me know if that makes sense

Thansk

Mike
0
 
LVL 4

Accepted Solution

by:
AnthonyHamon earned 250 total points
ID: 35175420
It is not a good security practice to give users local administrator access on their machines, however, you may have good reason to do this (sermon over!)

Do you want the users to be local administrators on their own client machine only or on all client machines?  For the first scenario, there is no simple way to achieve this with Group Policy, for the second, however, the process is very simple.

(Make sure you understand the implications of these changes before applying them to the production environment)

Step 1
Ensure that all client workstations are in their own OU (with no other servers or workstations) and that there is a Global security group that contains the client workstation users.

Step 2
Create a new GPO linked to the client computers OU (or if you have an existing GPO for these client computers you can edit that one).  Make sure that the GPO will ONLY apply to the client computers.

Step 3
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Step 4
Right click on Restricted Groups and select Add Group.  Add a group called Administrators

Step 6
Edit the group, and, in the 'Members of this group' section, add the Global Security group that contains the client computer users.

Step 7
Click OK to close the 'Administrators Properties' window and close GPME.

All users in the Global Security group that contains the client computer users will be local administrators of the client computers.

I hope this helps.
0
 

Author Comment

by:rexxnet
ID: 35175475
Mike:

This goes much further than I want to go with Individual computer names.  I just simple want to make the new user an administrator on any computer they sign in to.  This is a small organization and the article, thorough as it is, is asking to add individual computer names.  If I wind up having 50 computers, I don't want to add each computer to this list.  I want it to be automatic.  Isn't there a simpler solution?

Rexx
0
 

Author Comment

by:rexxnet
ID: 35175505
Anthony:

The main reason I want to do this is to allow the users to be able to add hardware when necessary and install software as needed.  I will not be onsite all of the time and I don't want them to have to sign off and sign back on as another user with local admin rights to perform these tasks.  

This is my first server setup.  So, I know enough to be VERY dangerous.  That's why I'm asking for help so it is not a complete failure.  LOL.

I tried to install a simple Flash update and I didn't have rights as the user.  Perfectly fine when I signed in with my credentials.  Same went with the printer/copier.

See where I'm coming from?  Does that help you help me some?

Thanks to you both for your patience in helping me learn and become their network guy.

Rexx
0
 
LVL 4

Assisted Solution

by:AnthonyHamon
AnthonyHamon earned 250 total points
ID: 35175607
Thanks Rexx,

The solution I provided achieves your requirement.  You just need to ensure that every user is added to the global security group when created and that every client computer is in the client computers OU.

Kind Regards,

Anthony
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 35176268
to make things much simpler add "Authenticated Users" group to Restricted Groups GPO. As any user u create will be member of authenticated users group.
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 125 total points
ID: 35177511
You can also create a startup script in the GPO.  Something like this.

net localgroup administrators "domain\domain users" /add

Save it as a filename.bat

Place that file in the startup script on the gpo that is linked to your computers.  Personally I would do restricted groups and add the users in there.  LIke the others have said I would create new OU's and design it logicly for group policy processing, but since you are new I would be afraid of you adding this to the default domain policy.  

Kevin
0
 
LVL 13

Assisted Solution

by:connectex
connectex earned 125 total points
ID: 35178019
I've noted this on another post. I also don't recommend giving local administrator rights to users. But if you must. The proper way to do this is via Windows SBS Console. Click Users & Groups, double click on a user from the list. Select computers on the left side. Highlight the computer name. Select the desired access level from the drop down. Note the it says the changes will be delivered via group policy. I know it's not the simplest or quickest method. But it's how the SBS team designed it to work. And this way you don't have to worry about it being stepped on by another GPO.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now