• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

Create GP for a group so everyone in it are local admins

Hey guys

I'd like to create a group so that everyone in it are local admins on their computers. What is the easiest way of acheiving it and also what groups this new group has to be a memeber of?
I know many people don't receommend local users being local admins but that's something I need to achieve.
I have Windows 2008 Foundation Server with AD installed and all clients are Windows 7.
Thanks
0
kirret
Asked:
kirret
3 Solutions
 
Justin CAWS Solutions ArchitectCommented:
Use the Restricted Groups GP setting to define a domain group which is a member of the local admin group and apply it to the computers you want them to have access to. Then add those users to that domain group.

http://support.microsoft.com/kb/279301
0
 
KCTSCommented:
NOT a good idea - but if you really want to do it just use a restricted group and add domain users to local administrators.

http://blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/archive/2007/04/23/adding-a-group-to-the-local-administrators-group.aspx
0
 
Mike KlineCommented:
You can use restricted groups, Florian has a great blog entry http://www.frickelsoft.net/blog/?p=13


You would create a group and then add that group to the loacl admin group using the group policy.  Test first to get a feel for it.

Thanks

Mike
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SandeshdubeyCommented:
I personally would not recommend using restricted groups to do this- restricted groups is a very powerful tool and simple mistakes can mean big headaches. You don't need to get any more complex than necessary.
 
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
Mike KlineCommented:
Disagree, I think restricted groups is more reliable and easier then a login script.  Just test it...not that hard.
0
 
KCTSCommented:
I agree with @mkline71's disagreement

Restricted groups is the sensible option and its applied/enforced each time the GP is refreshed.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now