• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

Need to Grant local admin rights to xp computers from Active Directory

I have large network with mostly xp users and some win7 users.  I want to give some users local admin rights to their computers from Active directory.  I have tried creating a GPO and linking it to an OU containing the target computers.  Then in restricted groups of the GPO I added the group I wanted to have local admin rights, but when the user logs in they also have admin rights to the server and all the shares.  Is there any hope?
0
Joel Armstrong
Asked:
Joel Armstrong
  • 4
  • 4
  • 2
  • +2
2 Solutions
 
smckeown777Commented:
If they have admin rights to the server and shares its because the group you added to the Restricted groups has those rights...can you not use a completely seperate group that isn't an admin group on the server?
0
 
Robert SaylorSenior DeveloperCommented:
This should work the same way on XP as it does on Windows 7. See image attached.
ww-admin.jpg
0
 
Joel ArmstrongNetwork AdministratorAuthor Commented:
The group create was new group called "localPCadmins".  The users were added to that group.  localPCadmins was added to restricted groups and made a member of administrators.   How do you add to the local administrators group of a workstaton and not a server.  I have attached a file.
restrictedGroups.bmp
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Robert SaylorSenior DeveloperCommented:
I belive you have to do it from the machine. Login as administrator, add the user to the administrators group for the local machine and that should work. That's how I do it.
0
 
smckeown777Commented:
That tells me you have BOTH servers and workstations in the same OU? Which is why they are now admins on the server...

Any reason you have workstations and servers in the same OU? That's not a good design...

What you have done is correct - only if the machines are in a seperate OU...
0
 
Joel ArmstrongNetwork AdministratorAuthor Commented:
The server is in the same container but a different OU.   The domain is corp.local and the OU is corp.local/test.  No servers are under the test OU.
0
 
smckeown777Commented:
Are you saying that after running and applying that GPO that the 'localPCadmins' group was added to the server? If so then somehow the server got the GPO...

On the server check the Local Admins group - is this a DC or a member server?
If they are in then remove the group...
0
 
Joel ArmstrongNetwork AdministratorAuthor Commented:
The localPCadmins are in an OU called Groups. The server is a DC. When I add administrators in restricted groups this is how it's added.   See file.

There are also two groups that were built into 2008, PC Administrators, and PC Power Users.  I assume the are for the same thing and do the same thing if I add them to a GPO in the same manner.
localPCadmins.bmp
0
 
smckeown777Commented:
No...you are doing this wrong...

Don't add LocalPCAdmins to the 'Builtin Admins' group on the server - that's incorrect...

Basically the way this works is you create a group(you've done this)
You then add that group to 'Restricted Groups' in the GPO(you've done this)
Then you add the USERS you want to be in that group to the group(you have done this I assume)

You DON'T add that group to Builtin/Admins...it will take care of this itself...

From what I can see this is where you are going wrong...
0
 
SandeshdubeyCommented:
It seems you have added the group to admin group,it is not required.Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13.

Instead of restricted GPO.
You can also use starup script to add user/group to administrator group on server.
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

Hope this helps
0
 
balmasriCommented:
it seems that you modified the restricted groups on some GPO that is linked to the top domain. or the domain controllers container .
 
-you have to create two OUs : one for your servers and the other for the PCs. Leave the DC on the default Domain controllers container .
-move all Servers except the DCs to the servers OU.
-Move the PCs to the Workstations OU.
-Create a GPO ( name it for example  Restricted groups for PCs ) and utilize the Restricted group feature of the GP .
-link this GPO to the Workstations OU only. then the LocalPC admin will be added to the PCs only.
0
 
Joel ArmstrongNetwork AdministratorAuthor Commented:
Ok, I finally realized what I had done.  After adding the localPCAdmins to restricted groups and then adding administrators to "this group is a member of" I was clicking the browse button and adding administrators which added the builtin/administrators on the server.  I had remembered reading somewhere that all is needed is to type the word Administrator.
  The word Administrator has to be there or AD will not push the localPCadmin group to the workstation.  It's working fine now and users don't have server admin rights. "Wheeew!", what a relieve.

Thanks a million for the help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now