• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 662
  • Last Modified:

push out local admins through GPO on server 2003

Hi,

I am trying to make some users admins on their local machine. I tried using restricted groups route but what people don't realize is that actually makes users a network admin. How do I know that? I tested it and was able to join a PC to a domain as a test user. Needless to say I don't need end users with network admin privileges.  

thanks
0
aackar
Asked:
aackar
1 Solution
 
Mike KlineCommented:
What do you mean it made them network admin?  It should only give them admin rights on the machines where you set the restricted groups GPO.   It shouldn't give them domain admin rights.

Thanks

Mike
0
 
Alan HardistyCommented:
There is a step-by-step guide here:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Just used it myself for a 2008 server and so far so good.
0
 
pony10usCommented:
I think your test may be the flaw.  By default any authenticated user can join up to 10 computers to a domain unless this was changed.

Please look at this technet article:  http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
BadPandaCommented:
Network administrators are not the same as local admins.  
Local is specific to the local node on the network.  The local administrator permissions for the user do not propegate through the network.
Network administrative permissions are domain specific, not machine specific.  Unless specifically changed network administrators have full rights and permissions of every device on the network.  
Pony, I wasn't aware standard users could join up to 10 machines to the domain.  Thanks for the link.
Panda
0
 
pony10usCommented:
Your welcome Panda.

You can set a domain user to be a local admin through GPO by following this technet article:  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx

This will make that user a local admin on ANY machine they log on to that gets the GPO.  If you want to restrict them to a specific machine it can be done. We do this with laptops so we have a specific OU for laptops and assign the GPO to that OU.
0
 
aackarAuthor Commented:
Pony,

according to that technet article you have to set a particular security setting on the GPO in order to allow users to join PCs to the domain. I tried with multiple non-network admin accounts and got an access denied. Using the test account that's become a  network admin account through restricted groups, now you can log into a DC and make changes under AD users and computers as well, like add users, groups, join PCs to the domain etc. Does anyone know of a different way to do this other than using restricted groups?
0
 
aackarAuthor Commented:
Ok,

so I figured this one out and want to share with whoever needs it if they find they are having the same problem as I am having.
Originally I used the following link:
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Like mentioned before this not only gave users local admin privileges but also domain admin privileges. Once you add the group you created to the restricted group, you absolutely CANNOT go under "this group is a member of" and add the administrator group.
Also check the domain built-in administrator group and make sure that the new group you created (in the example provided under the link provided they call their group IT_Admins) didn't get added in there as well.
0
 
aackarAuthor Commented:
I am accepting my own answer as solution so that people searching for answers for that same problem won't skip over this thread because it's marked as unanswered. That's something I've done in the past.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now