Solved

Create GP for a group so everyone in it are local admins

Posted on 2011-09-09
6
244 Views
Last Modified: 2012-05-12
Hey guys

I'd like to create a group so that everyone in it are local admins on their computers. What is the easiest way of acheiving it and also what groups this new group has to be a memeber of?
I know many people don't receommend local users being local admins but that's something I need to achieve.
I have Windows 2008 Foundation Server with AD installed and all clients are Windows 7.
Thanks
0
Comment
Question by:kirret
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 10

Accepted Solution

by:
BloodRed earned 167 total points
ID: 36513482
Use the Restricted Groups GP setting to define a domain group which is a member of the local admin group and apply it to the computers you want them to have access to. Then add those users to that domain group.

http://support.microsoft.com/kb/279301
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 167 total points
ID: 36513491
NOT a good idea - but if you really want to do it just use a restricted group and add domain users to local administrators.

http://blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/archive/2007/04/23/adding-a-group-to-the-local-administrators-group.aspx
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 166 total points
ID: 36513494
You can use restricted groups, Florian has a great blog entry http://www.frickelsoft.net/blog/?p=13


You would create a group and then add that group to the loacl admin group using the group policy.  Test first to get a feel for it.

Thanks

Mike
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36514904
I personally would not recommend using restricted groups to do this- restricted groups is a very powerful tool and simple mistakes can mean big headaches. You don't need to get any more complex than necessary.
 
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36514959
Disagree, I think restricted groups is more reliable and easier then a login script.  Just test it...not that hard.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 36515864
I agree with @mkline71's disagreement

Restricted groups is the sensible option and its applied/enforced each time the GP is refreshed.

0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Modifying AD Group Policy Powershell to list unused GPO 5 78
Ransomware case 23 109
Setting up two DCs 4 47
Server 2012 Active Directory Logging 7 18
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question