[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

push out local admins through GPO on server 2003

Posted on 2013-01-10
8
Medium Priority
?
657 Views
Last Modified: 2013-01-21
Hi,

I am trying to make some users admins on their local machine. I tried using restricted groups route but what people don't realize is that actually makes users a network admin. How do I know that? I tested it and was able to join a PC to a domain as a test user. Needless to say I don't need end users with network admin privileges.  

thanks
0
Comment
Question by:aackar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38763681
What do you mean it made them network admin?  It should only give them admin rights on the machines where you set the restricted groups GPO.   It shouldn't give them domain admin rights.

Thanks

Mike
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38763687
There is a step-by-step guide here:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Just used it myself for a 2008 server and so far so good.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38763759
I think your test may be the flaw.  By default any authenticated user can join up to 10 computers to a domain unless this was changed.

Please look at this technet article:  http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:BadPanda
ID: 38764092
Network administrators are not the same as local admins.  
Local is specific to the local node on the network.  The local administrator permissions for the user do not propegate through the network.
Network administrative permissions are domain specific, not machine specific.  Unless specifically changed network administrators have full rights and permissions of every device on the network.  
Pony, I wasn't aware standard users could join up to 10 machines to the domain.  Thanks for the link.
Panda
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38764152
Your welcome Panda.

You can set a domain user to be a local admin through GPO by following this technet article:  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx

This will make that user a local admin on ANY machine they log on to that gets the GPO.  If you want to restrict them to a specific machine it can be done. We do this with laptops so we have a specific OU for laptops and assign the GPO to that OU.
0
 

Author Comment

by:aackar
ID: 38764749
Pony,

according to that technet article you have to set a particular security setting on the GPO in order to allow users to join PCs to the domain. I tried with multiple non-network admin accounts and got an access denied. Using the test account that's become a  network admin account through restricted groups, now you can log into a DC and make changes under AD users and computers as well, like add users, groups, join PCs to the domain etc. Does anyone know of a different way to do this other than using restricted groups?
0
 

Accepted Solution

by:
aackar earned 0 total points
ID: 38783071
Ok,

so I figured this one out and want to share with whoever needs it if they find they are having the same problem as I am having.
Originally I used the following link:
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Like mentioned before this not only gave users local admin privileges but also domain admin privileges. Once you add the group you created to the restricted group, you absolutely CANNOT go under "this group is a member of" and add the administrator group.
Also check the domain built-in administrator group and make sure that the new group you created (in the example provided under the link provided they call their group IT_Admins) didn't get added in there as well.
0
 

Author Closing Comment

by:aackar
ID: 38800496
I am accepting my own answer as solution so that people searching for answers for that same problem won't skip over this thread because it's marked as unanswered. That's something I've done in the past.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question