Solved

Local admin account was renamed using GPO. How Should I configure restricted groups

Posted on 2011-09-23
3
531 Views
Last Modified: 2012-05-12
Hi Experts,

Local Admin account was renamed at Default Domain Policy to ADM1. Need to enforce Local Administrators group to have a specific users and groups in it.

How Sould I input local admin account in restricted group gpo? Should I just type in "ADMINISTRATOR" or "ADM1"?

Tks!

Rodrigo Garcone
0
Comment
Question by:garconer
3 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36591316
As you have mentioned that local administrator account is renamed not the local adminstrator group you can achieve the same as below.

There is a much easier way to accomplish what you want:
Create a group in AD and add required users to that group:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36593391
Use in GPO under Restricted Groups new admin name ("ADM1")
If you have at least one 2008R2/Win7 in your environment. it's much easier to use GPP (Group Policy Preferences) for that.
On 2003/XP client you need to install first CSE (Client Side Extension)

If you're interested with that, please let me know

Regards,
Krzysztof
0
 

Author Comment

by:garconer
ID: 36596782
Thks iSiek for your reply, but I'm looking for for some feedback from someone who already has DC on Server Core.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question