Solved

Create GPO to automatically set new users as local admin on client machine

Posted on 2011-03-20
8
1,128 Views
Last Modified: 2012-05-11
I would like for my new users to automatically be administrators on their client machine.  I've been unsuccessful in creating that GPO.  I don't know where to start.  Could someone give me a step by step on this one?  Click here, type there, click this....etc.  

This is the only domain controller.  It's a small office with 4 users that plans on expanding and I don't want to have to individually assign those local rights each time I add a user.  There must be a way!  LOL

Thanks!
Rexx
0
Comment
Question by:rexxnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35175391
There has always been restricted groups using group policy.  Since you are on 2008 you can also use group policy preferences to do this.   Alan has a very good blog entry   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Let me know if that makes sense

Thansk

Mike
0
 
LVL 4

Accepted Solution

by:
AnthonyHamon earned 250 total points
ID: 35175420
It is not a good security practice to give users local administrator access on their machines, however, you may have good reason to do this (sermon over!)

Do you want the users to be local administrators on their own client machine only or on all client machines?  For the first scenario, there is no simple way to achieve this with Group Policy, for the second, however, the process is very simple.

(Make sure you understand the implications of these changes before applying them to the production environment)

Step 1
Ensure that all client workstations are in their own OU (with no other servers or workstations) and that there is a Global security group that contains the client workstation users.

Step 2
Create a new GPO linked to the client computers OU (or if you have an existing GPO for these client computers you can edit that one).  Make sure that the GPO will ONLY apply to the client computers.

Step 3
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Step 4
Right click on Restricted Groups and select Add Group.  Add a group called Administrators

Step 6
Edit the group, and, in the 'Members of this group' section, add the Global Security group that contains the client computer users.

Step 7
Click OK to close the 'Administrators Properties' window and close GPME.

All users in the Global Security group that contains the client computer users will be local administrators of the client computers.

I hope this helps.
0
 

Author Comment

by:rexxnet
ID: 35175475
Mike:

This goes much further than I want to go with Individual computer names.  I just simple want to make the new user an administrator on any computer they sign in to.  This is a small organization and the article, thorough as it is, is asking to add individual computer names.  If I wind up having 50 computers, I don't want to add each computer to this list.  I want it to be automatic.  Isn't there a simpler solution?

Rexx
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:rexxnet
ID: 35175505
Anthony:

The main reason I want to do this is to allow the users to be able to add hardware when necessary and install software as needed.  I will not be onsite all of the time and I don't want them to have to sign off and sign back on as another user with local admin rights to perform these tasks.  

This is my first server setup.  So, I know enough to be VERY dangerous.  That's why I'm asking for help so it is not a complete failure.  LOL.

I tried to install a simple Flash update and I didn't have rights as the user.  Perfectly fine when I signed in with my credentials.  Same went with the printer/copier.

See where I'm coming from?  Does that help you help me some?

Thanks to you both for your patience in helping me learn and become their network guy.

Rexx
0
 
LVL 4

Assisted Solution

by:AnthonyHamon
AnthonyHamon earned 250 total points
ID: 35175607
Thanks Rexx,

The solution I provided achieves your requirement.  You just need to ensure that every user is added to the global security group when created and that every client computer is in the client computers OU.

Kind Regards,

Anthony
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 35176268
to make things much simpler add "Authenticated Users" group to Restricted Groups GPO. As any user u create will be member of authenticated users group.
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 125 total points
ID: 35177511
You can also create a startup script in the GPO.  Something like this.

net localgroup administrators "domain\domain users" /add

Save it as a filename.bat

Place that file in the startup script on the gpo that is linked to your computers.  Personally I would do restricted groups and add the users in there.  LIke the others have said I would create new OU's and design it logicly for group policy processing, but since you are new I would be afraid of you adding this to the default domain policy.  

Kevin
0
 
LVL 13

Assisted Solution

by:connectex
connectex earned 125 total points
ID: 35178019
I've noted this on another post. I also don't recommend giving local administrator rights to users. But if you must. The proper way to do this is via Windows SBS Console. Click Users & Groups, double click on a user from the list. Select computers on the left side. Highlight the computer name. Select the desired access level from the drop down. Note the it says the changes will be delivered via group policy. I know it's not the simplest or quickest method. But it's how the SBS team designed it to work. And this way you don't have to worry about it being stepped on by another GPO.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question