Local Admin's rights

tjie
tjie used Ask the Experts™
on
Hi,

This is related to Local Admin's right. A user who has got this local admin's rights will be able to install " a program or anything"; I believe the Domain Admin has this capability automatically.
To make it clear what I mean with this "local admin's rights", please see the followings:
- Say it; the domain's name is "Boba"; there is a user called "James White" which is read as " Boba\jwhite "

The normal way to make this user (=Boba\jwhite) having the "local admin's rights" by following the below PATH.
PATH : At a workstation please do the followings: right-click "my computer" > select "manage" > expand "local users and groups" > highlight "groups" > double-click "administrators " (on the right pane) > click "Add" > select "Boba\jwhite"  --> then the user jwhite will be able to install "everything" in the workstation.

But there is an other way, to make "Boba\jwhite" having the "local admin's right"; I saw this method at a company. The arrangement is as the followings:
- The company created a group called "Boba local Admin" group
- Whenever a user say it Boba\jwhite wants to install "something" in the workstation, the Security Administrator will ADD "Boba\jwhite" to "Boba Local Admin" group. This user --> "Boba\jwhite" will be given a day to install; then, the next day "Boba\jwhite" will be taken out from the "Boba Local Admin" group; so he will not be able to install "anything" anymore.

My question: Somebody knows How to create the above "Boba Local Admin" group? (please provide a little bit steps).

Thank you

tjie
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi it is done by Group Policy

How to Add domain accounts to Local Administrators Group using GPO

There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
1

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
2

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.
Members of this group

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
3
This group is a member of

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
4

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.
Senior Active Directory Engineer
Top Expert 2012
Commented:
Yes, this is a part of rights delegation in AD environment. You can consider this to implement in your environment.

In a domain, create domain local group called dlg-boba-local-admins and global group called gg-boba-local-admins. Make gg-boba-local-admins group a member of dlg-boba-local-admins group and put also in domain local group, Domain Admins.

Now, everything depend on your environment:

1) Windows Server 2003 and Windows XP without Client Side Extension (CSE)
Create GPO called C-Boba-Local-Admins and link to OU with servers to which you want to grant access this group.

Use Restricted groups to configure that
http://www.windowsecurity.com/articles/using-restricted-groups.html

2) Windows Server 2003/ XP / 2008R2 or Win7

Install CSE on all Server 2003 to be able to apply Group Policy Preferences (GPP)
http://www.microsoft.com/en-us/download/details.aspx?id=6955

and manage that using GPP
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

when Boba needs admin rights, put his account into gg-boba-local-admins group and that's all!

but...

this is good in general :) When you do that, boba will have access to each server where GPO is applied.

You should consider creating separate dlg and gg groups for each server in your domain and name them

dlg-servername-local-admins
gg-servername-local-admins

and the rest is similar

Regards,
Krzysztof
deroodeSystems Administrator
Commented:
"Restricted groups" has the disadvantage that only the group named in the policy will become member of the local administrators group, and any manually added users will get kicked out. If you also want to be able to assign a domain account to one local workstation administrators group you can also use the startup script to add the Boba\gg-boba-local-admins group to the local administrators group:

net localgroup Administrators "Boba\gg-boba-local-admins" /ADD

Author

Commented:
Thank you for all
I will try all the recomendations. There is one related information which I want to provide; there are some of domain admins (in this "Boba" domain); I am one of them; if I want to give the user "Boba\jwhite" the "local admin's rights", I can do it; I just do it "manually" with following this Path  --->
PATH : At a workstation please do the followings: right-click "my computer" > select "manage" > expand "local users and groups" > highlight "groups" > double-click "administrators " (on the right pane) > click "Add" > select "Boba\jwhite"

What will your comments about it please? (Do you think that the above GPOs are still necessary?)
deroodeSystems Administrator
Commented:
If you want to be able to add Boba\jwhite to the administrators group on only one workstation, then you shouldn't use the "Restricted groups" policy.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial