Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Create GP for a group so everyone in it are local admins

Hey guys

I'd like to create a group so that everyone in it are local admins on their computers. What is the easiest way of acheiving it and also what groups this new group has to be a memeber of?
I know many people don't receommend local users being local admins but that's something I need to achieve.
I have Windows 2008 Foundation Server with AD installed and all clients are Windows 7.
Thanks
0
kirret
Asked:
kirret
3 Solutions
 
Justin CAWS Solutions ArchitectCommented:
Use the Restricted Groups GP setting to define a domain group which is a member of the local admin group and apply it to the computers you want them to have access to. Then add those users to that domain group.

http://support.microsoft.com/kb/279301
0
 
KCTSCommented:
NOT a good idea - but if you really want to do it just use a restricted group and add domain users to local administrators.

http://blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/archive/2007/04/23/adding-a-group-to-the-local-administrators-group.aspx
0
 
Mike KlineCommented:
You can use restricted groups, Florian has a great blog entry http://www.frickelsoft.net/blog/?p=13


You would create a group and then add that group to the loacl admin group using the group policy.  Test first to get a feel for it.

Thanks

Mike
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
SandeshdubeySenior Server EngineerCommented:
I personally would not recommend using restricted groups to do this- restricted groups is a very powerful tool and simple mistakes can mean big headaches. You don't need to get any more complex than necessary.
 
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
Mike KlineCommented:
Disagree, I think restricted groups is more reliable and easier then a login script.  Just test it...not that hard.
0
 
KCTSCommented:
I agree with @mkline71's disagreement

Restricted groups is the sensible option and its applied/enforced each time the GP is refreshed.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now