push out local admins through GPO on server 2003

Hi,

I am trying to make some users admins on their local machine. I tried using restricted groups route but what people don't realize is that actually makes users a network admin. How do I know that? I tested it and was able to join a PC to a domain as a test user. Needless to say I don't need end users with network admin privileges.  

thanks
aackarAsked:
Who is Participating?
 
aackarConnect With a Mentor Author Commented:
Ok,

so I figured this one out and want to share with whoever needs it if they find they are having the same problem as I am having.
Originally I used the following link:
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Like mentioned before this not only gave users local admin privileges but also domain admin privileges. Once you add the group you created to the restricted group, you absolutely CANNOT go under "this group is a member of" and add the administrator group.
Also check the domain built-in administrator group and make sure that the new group you created (in the example provided under the link provided they call their group IT_Admins) didn't get added in there as well.
0
 
Mike KlineCommented:
What do you mean it made them network admin?  It should only give them admin rights on the machines where you set the restricted groups GPO.   It shouldn't give them domain admin rights.

Thanks

Mike
0
 
Alan HardistyCo-OwnerCommented:
There is a step-by-step guide here:

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Just used it myself for a 2008 server and so far so good.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
pony10usCommented:
I think your test may be the flaw.  By default any authenticated user can join up to 10 computers to a domain unless this was changed.

Please look at this technet article:  http://technet.microsoft.com/en-us/library/cc780195%28WS.10%29.aspx
0
 
BadPandaCommented:
Network administrators are not the same as local admins.  
Local is specific to the local node on the network.  The local administrator permissions for the user do not propegate through the network.
Network administrative permissions are domain specific, not machine specific.  Unless specifically changed network administrators have full rights and permissions of every device on the network.  
Pony, I wasn't aware standard users could join up to 10 machines to the domain.  Thanks for the link.
Panda
0
 
pony10usCommented:
Your welcome Panda.

You can set a domain user to be a local admin through GPO by following this technet article:  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx

This will make that user a local admin on ANY machine they log on to that gets the GPO.  If you want to restrict them to a specific machine it can be done. We do this with laptops so we have a specific OU for laptops and assign the GPO to that OU.
0
 
aackarAuthor Commented:
Pony,

according to that technet article you have to set a particular security setting on the GPO in order to allow users to join PCs to the domain. I tried with multiple non-network admin accounts and got an access denied. Using the test account that's become a  network admin account through restricted groups, now you can log into a DC and make changes under AD users and computers as well, like add users, groups, join PCs to the domain etc. Does anyone know of a different way to do this other than using restricted groups?
0
 
aackarAuthor Commented:
I am accepting my own answer as solution so that people searching for answers for that same problem won't skip over this thread because it's marked as unanswered. That's something I've done in the past.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.