Solved

Need to Grant local admin rights to xp computers from Active Directory

Posted on 2013-06-27
12
652 Views
Last Modified: 2013-06-28
I have large network with mostly xp users and some win7 users.  I want to give some users local admin rights to their computers from Active directory.  I have tried creating a GPO and linking it to an OU containing the target computers.  Then in restricted groups of the GPO I added the group I wanted to have local admin rights, but when the user logs in they also have admin rights to the server and all the shares.  Is there any hope?
0
Comment
Question by:JoelArmstrong
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39282570
If they have admin rights to the server and shares its because the group you added to the Restricted groups has those rights...can you not use a completely seperate group that isn't an admin group on the server?
0
 
LVL 6

Expert Comment

by:Robert Saylor
ID: 39282586
This should work the same way on XP as it does on Windows 7. See image attached.
ww-admin.jpg
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39282616
The group create was new group called "localPCadmins".  The users were added to that group.  localPCadmins was added to restricted groups and made a member of administrators.   How do you add to the local administrators group of a workstaton and not a server.  I have attached a file.
restrictedGroups.bmp
0
 
LVL 6

Expert Comment

by:Robert Saylor
ID: 39282627
I belive you have to do it from the machine. Login as administrator, add the user to the administrators group for the local machine and that should work. That's how I do it.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39282630
That tells me you have BOTH servers and workstations in the same OU? Which is why they are now admins on the server...

Any reason you have workstations and servers in the same OU? That's not a good design...

What you have done is correct - only if the machines are in a seperate OU...
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39282648
The server is in the same container but a different OU.   The domain is corp.local and the OU is corp.local/test.  No servers are under the test OU.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39282651
Are you saying that after running and applying that GPO that the 'localPCadmins' group was added to the server? If so then somehow the server got the GPO...

On the server check the Local Admins group - is this a DC or a member server?
If they are in then remove the group...
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39282710
The localPCadmins are in an OU called Groups. The server is a DC. When I add administrators in restricted groups this is how it's added.   See file.

There are also two groups that were built into 2008, PC Administrators, and PC Power Users.  I assume the are for the same thing and do the same thing if I add them to a GPO in the same manner.
localPCadmins.bmp
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 400 total points
ID: 39282721
No...you are doing this wrong...

Don't add LocalPCAdmins to the 'Builtin Admins' group on the server - that's incorrect...

Basically the way this works is you create a group(you've done this)
You then add that group to 'Restricted Groups' in the GPO(you've done this)
Then you add the USERS you want to be in that group to the group(you have done this I assume)

You DON'T add that group to Builtin/Admins...it will take care of this itself...

From what I can see this is where you are going wrong...
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 100 total points
ID: 39284271
It seems you have added the group to admin group,it is not required.Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13.

Instead of restricted GPO.
You can also use starup script to add user/group to administrator group on server.
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

Hope this helps
0
 
LVL 5

Expert Comment

by:balmasri
ID: 39284442
it seems that you modified the restricted groups on some GPO that is linked to the top domain. or the domain controllers container .
 
-you have to create two OUs : one for your servers and the other for the PCs. Leave the DC on the default Domain controllers container .
-move all Servers except the DCs to the servers OU.
-Move the PCs to the Workstations OU.
-Create a GPO ( name it for example  Restricted groups for PCs ) and utilize the Restricted group feature of the GP .
-link this GPO to the Workstations OU only. then the LocalPC admin will be added to the PCs only.
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39285324
Ok, I finally realized what I had done.  After adding the localPCAdmins to restricted groups and then adding administrators to "this group is a member of" I was clicking the browse button and adding administrators which added the builtin/administrators on the server.  I had remembered reading somewhere that all is needed is to type the word Administrator.
  The word Administrator has to be there or AD will not push the localPCadmin group to the workstation.  It's working fine now and users don't have server admin rights. "Wheeew!", what a relieve.

Thanks a million for the help.
0

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now