Solved

Create GPO to automatically set new users as local admin on client machine

Posted on 2011-03-20
8
1,126 Views
Last Modified: 2012-05-11
I would like for my new users to automatically be administrators on their client machine.  I've been unsuccessful in creating that GPO.  I don't know where to start.  Could someone give me a step by step on this one?  Click here, type there, click this....etc.  

This is the only domain controller.  It's a small office with 4 users that plans on expanding and I don't want to have to individually assign those local rights each time I add a user.  There must be a way!  LOL

Thanks!
Rexx
0
Comment
Question by:rexxnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35175391
There has always been restricted groups using group policy.  Since you are on 2008 you can also use group policy preferences to do this.   Alan has a very good blog entry   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Let me know if that makes sense

Thansk

Mike
0
 
LVL 4

Accepted Solution

by:
AnthonyHamon earned 250 total points
ID: 35175420
It is not a good security practice to give users local administrator access on their machines, however, you may have good reason to do this (sermon over!)

Do you want the users to be local administrators on their own client machine only or on all client machines?  For the first scenario, there is no simple way to achieve this with Group Policy, for the second, however, the process is very simple.

(Make sure you understand the implications of these changes before applying them to the production environment)

Step 1
Ensure that all client workstations are in their own OU (with no other servers or workstations) and that there is a Global security group that contains the client workstation users.

Step 2
Create a new GPO linked to the client computers OU (or if you have an existing GPO for these client computers you can edit that one).  Make sure that the GPO will ONLY apply to the client computers.

Step 3
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Step 4
Right click on Restricted Groups and select Add Group.  Add a group called Administrators

Step 6
Edit the group, and, in the 'Members of this group' section, add the Global Security group that contains the client computer users.

Step 7
Click OK to close the 'Administrators Properties' window and close GPME.

All users in the Global Security group that contains the client computer users will be local administrators of the client computers.

I hope this helps.
0
 

Author Comment

by:rexxnet
ID: 35175475
Mike:

This goes much further than I want to go with Individual computer names.  I just simple want to make the new user an administrator on any computer they sign in to.  This is a small organization and the article, thorough as it is, is asking to add individual computer names.  If I wind up having 50 computers, I don't want to add each computer to this list.  I want it to be automatic.  Isn't there a simpler solution?

Rexx
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 

Author Comment

by:rexxnet
ID: 35175505
Anthony:

The main reason I want to do this is to allow the users to be able to add hardware when necessary and install software as needed.  I will not be onsite all of the time and I don't want them to have to sign off and sign back on as another user with local admin rights to perform these tasks.  

This is my first server setup.  So, I know enough to be VERY dangerous.  That's why I'm asking for help so it is not a complete failure.  LOL.

I tried to install a simple Flash update and I didn't have rights as the user.  Perfectly fine when I signed in with my credentials.  Same went with the printer/copier.

See where I'm coming from?  Does that help you help me some?

Thanks to you both for your patience in helping me learn and become their network guy.

Rexx
0
 
LVL 4

Assisted Solution

by:AnthonyHamon
AnthonyHamon earned 250 total points
ID: 35175607
Thanks Rexx,

The solution I provided achieves your requirement.  You just need to ensure that every user is added to the global security group when created and that every client computer is in the client computers OU.

Kind Regards,

Anthony
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 35176268
to make things much simpler add "Authenticated Users" group to Restricted Groups GPO. As any user u create will be member of authenticated users group.
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 125 total points
ID: 35177511
You can also create a startup script in the GPO.  Something like this.

net localgroup administrators "domain\domain users" /add

Save it as a filename.bat

Place that file in the startup script on the gpo that is linked to your computers.  Personally I would do restricted groups and add the users in there.  LIke the others have said I would create new OU's and design it logicly for group policy processing, but since you are new I would be afraid of you adding this to the default domain policy.  

Kevin
0
 
LVL 13

Assisted Solution

by:connectex
connectex earned 125 total points
ID: 35178019
I've noted this on another post. I also don't recommend giving local administrator rights to users. But if you must. The proper way to do this is via Windows SBS Console. Click Users & Groups, double click on a user from the list. Select computers on the left side. Highlight the computer name. Select the desired access level from the drop down. Note the it says the changes will be delivered via group policy. I know it's not the simplest or quickest method. But it's how the SBS team designed it to work. And this way you don't have to worry about it being stepped on by another GPO.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question