Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Create GP for a group so everyone in it are local admins

Posted on 2011-09-09
6
Medium Priority
?
247 Views
Last Modified: 2012-05-12
Hey guys

I'd like to create a group so that everyone in it are local admins on their computers. What is the easiest way of acheiving it and also what groups this new group has to be a memeber of?
I know many people don't receommend local users being local admins but that's something I need to achieve.
I have Windows 2008 Foundation Server with AD installed and all clients are Windows 7.
Thanks
0
Comment
Question by:kirret
6 Comments
 
LVL 10

Accepted Solution

by:
Justin C earned 668 total points
ID: 36513482
Use the Restricted Groups GP setting to define a domain group which is a member of the local admin group and apply it to the computers you want them to have access to. Then add those users to that domain group.

http://support.microsoft.com/kb/279301
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 668 total points
ID: 36513491
NOT a good idea - but if you really want to do it just use a restricted group and add domain users to local administrators.

http://blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/archive/2007/04/23/adding-a-group-to-the-local-administrators-group.aspx
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 664 total points
ID: 36513494
You can use restricted groups, Florian has a great blog entry http://www.frickelsoft.net/blog/?p=13


You would create a group and then add that group to the loacl admin group using the group policy.  Test first to get a feel for it.

Thanks

Mike
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36514904
I personally would not recommend using restricted groups to do this- restricted groups is a very powerful tool and simple mistakes can mean big headaches. You don't need to get any more complex than necessary.
 
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36514959
Disagree, I think restricted groups is more reliable and easier then a login script.  Just test it...not that hard.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 36515864
I agree with @mkline71's disagreement

Restricted groups is the sensible option and its applied/enforced each time the GP is refreshed.

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question