Solved

push out local admins through GPO on server 2003

Posted on 2013-01-10
8
641 Views
Last Modified: 2013-01-21
Hi,

I am trying to make some users admins on their local machine. I tried using restricted groups route but what people don't realize is that actually makes users a network admin. How do I know that? I tested it and was able to join a PC to a domain as a test user. Needless to say I don't need end users with network admin privileges.  

thanks
0
Comment
Question by:aackar
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38763681
What do you mean it made them network admin?  It should only give them admin rights on the machines where you set the restricted groups GPO.   It shouldn't give them domain admin rights.

Thanks

Mike
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38763687
There is a step-by-step guide here:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Just used it myself for a 2008 server and so far so good.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38763759
I think your test may be the flaw.  By default any authenticated user can join up to 10 computers to a domain unless this was changed.

Please look at this technet article:  http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
0
 
LVL 2

Expert Comment

by:BadPanda
ID: 38764092
Network administrators are not the same as local admins.  
Local is specific to the local node on the network.  The local administrator permissions for the user do not propegate through the network.
Network administrative permissions are domain specific, not machine specific.  Unless specifically changed network administrators have full rights and permissions of every device on the network.  
Pony, I wasn't aware standard users could join up to 10 machines to the domain.  Thanks for the link.
Panda
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 26

Expert Comment

by:pony10us
ID: 38764152
Your welcome Panda.

You can set a domain user to be a local admin through GPO by following this technet article:  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx

This will make that user a local admin on ANY machine they log on to that gets the GPO.  If you want to restrict them to a specific machine it can be done. We do this with laptops so we have a specific OU for laptops and assign the GPO to that OU.
0
 

Author Comment

by:aackar
ID: 38764749
Pony,

according to that technet article you have to set a particular security setting on the GPO in order to allow users to join PCs to the domain. I tried with multiple non-network admin accounts and got an access denied. Using the test account that's become a  network admin account through restricted groups, now you can log into a DC and make changes under AD users and computers as well, like add users, groups, join PCs to the domain etc. Does anyone know of a different way to do this other than using restricted groups?
0
 

Accepted Solution

by:
aackar earned 0 total points
ID: 38783071
Ok,

so I figured this one out and want to share with whoever needs it if they find they are having the same problem as I am having.
Originally I used the following link:
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Like mentioned before this not only gave users local admin privileges but also domain admin privileges. Once you add the group you created to the restricted group, you absolutely CANNOT go under "this group is a member of" and add the administrator group.
Also check the domain built-in administrator group and make sure that the new group you created (in the example provided under the link provided they call their group IT_Admins) didn't get added in there as well.
0
 

Author Closing Comment

by:aackar
ID: 38800496
I am accepting my own answer as solution so that people searching for answers for that same problem won't skip over this thread because it's marked as unanswered. That's something I've done in the past.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now