Solved

push out local admins through GPO on server 2003

Posted on 2013-01-10
8
644 Views
Last Modified: 2013-01-21
Hi,

I am trying to make some users admins on their local machine. I tried using restricted groups route but what people don't realize is that actually makes users a network admin. How do I know that? I tested it and was able to join a PC to a domain as a test user. Needless to say I don't need end users with network admin privileges.  

thanks
0
Comment
Question by:aackar
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38763681
What do you mean it made them network admin?  It should only give them admin rights on the machines where you set the restricted groups GPO.   It shouldn't give them domain admin rights.

Thanks

Mike
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38763687
There is a step-by-step guide here:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Just used it myself for a 2008 server and so far so good.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38763759
I think your test may be the flaw.  By default any authenticated user can join up to 10 computers to a domain unless this was changed.

Please look at this technet article:  http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
0
 
LVL 2

Expert Comment

by:BadPanda
ID: 38764092
Network administrators are not the same as local admins.  
Local is specific to the local node on the network.  The local administrator permissions for the user do not propegate through the network.
Network administrative permissions are domain specific, not machine specific.  Unless specifically changed network administrators have full rights and permissions of every device on the network.  
Pony, I wasn't aware standard users could join up to 10 machines to the domain.  Thanks for the link.
Panda
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 26

Expert Comment

by:pony10us
ID: 38764152
Your welcome Panda.

You can set a domain user to be a local admin through GPO by following this technet article:  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx

This will make that user a local admin on ANY machine they log on to that gets the GPO.  If you want to restrict them to a specific machine it can be done. We do this with laptops so we have a specific OU for laptops and assign the GPO to that OU.
0
 

Author Comment

by:aackar
ID: 38764749
Pony,

according to that technet article you have to set a particular security setting on the GPO in order to allow users to join PCs to the domain. I tried with multiple non-network admin accounts and got an access denied. Using the test account that's become a  network admin account through restricted groups, now you can log into a DC and make changes under AD users and computers as well, like add users, groups, join PCs to the domain etc. Does anyone know of a different way to do this other than using restricted groups?
0
 

Accepted Solution

by:
aackar earned 0 total points
ID: 38783071
Ok,

so I figured this one out and want to share with whoever needs it if they find they are having the same problem as I am having.
Originally I used the following link:
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Like mentioned before this not only gave users local admin privileges but also domain admin privileges. Once you add the group you created to the restricted group, you absolutely CANNOT go under "this group is a member of" and add the administrator group.
Also check the domain built-in administrator group and make sure that the new group you created (in the example provided under the link provided they call their group IT_Admins) didn't get added in there as well.
0
 

Author Closing Comment

by:aackar
ID: 38800496
I am accepting my own answer as solution so that people searching for answers for that same problem won't skip over this thread because it's marked as unanswered. That's something I've done in the past.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now