Solved

Need to Grant local admin rights to xp computers from Active Directory

Posted on 2013-06-27
12
655 Views
Last Modified: 2013-06-28
I have large network with mostly xp users and some win7 users.  I want to give some users local admin rights to their computers from Active directory.  I have tried creating a GPO and linking it to an OU containing the target computers.  Then in restricted groups of the GPO I added the group I wanted to have local admin rights, but when the user logs in they also have admin rights to the server and all the shares.  Is there any hope?
0
Comment
Question by:JoelArmstrong
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39282570
If they have admin rights to the server and shares its because the group you added to the Restricted groups has those rights...can you not use a completely seperate group that isn't an admin group on the server?
0
 
LVL 7

Expert Comment

by:Robert Saylor
ID: 39282586
This should work the same way on XP as it does on Windows 7. See image attached.
ww-admin.jpg
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39282616
The group create was new group called "localPCadmins".  The users were added to that group.  localPCadmins was added to restricted groups and made a member of administrators.   How do you add to the local administrators group of a workstaton and not a server.  I have attached a file.
restrictedGroups.bmp
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:Robert Saylor
ID: 39282627
I belive you have to do it from the machine. Login as administrator, add the user to the administrators group for the local machine and that should work. That's how I do it.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39282630
That tells me you have BOTH servers and workstations in the same OU? Which is why they are now admins on the server...

Any reason you have workstations and servers in the same OU? That's not a good design...

What you have done is correct - only if the machines are in a seperate OU...
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39282648
The server is in the same container but a different OU.   The domain is corp.local and the OU is corp.local/test.  No servers are under the test OU.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39282651
Are you saying that after running and applying that GPO that the 'localPCadmins' group was added to the server? If so then somehow the server got the GPO...

On the server check the Local Admins group - is this a DC or a member server?
If they are in then remove the group...
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39282710
The localPCadmins are in an OU called Groups. The server is a DC. When I add administrators in restricted groups this is how it's added.   See file.

There are also two groups that were built into 2008, PC Administrators, and PC Power Users.  I assume the are for the same thing and do the same thing if I add them to a GPO in the same manner.
localPCadmins.bmp
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 400 total points
ID: 39282721
No...you are doing this wrong...

Don't add LocalPCAdmins to the 'Builtin Admins' group on the server - that's incorrect...

Basically the way this works is you create a group(you've done this)
You then add that group to 'Restricted Groups' in the GPO(you've done this)
Then you add the USERS you want to be in that group to the group(you have done this I assume)

You DON'T add that group to Builtin/Admins...it will take care of this itself...

From what I can see this is where you are going wrong...
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 100 total points
ID: 39284271
It seems you have added the group to admin group,it is not required.Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13.

Instead of restricted GPO.
You can also use starup script to add user/group to administrator group on server.
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

Hope this helps
0
 
LVL 5

Expert Comment

by:balmasri
ID: 39284442
it seems that you modified the restricted groups on some GPO that is linked to the top domain. or the domain controllers container .
 
-you have to create two OUs : one for your servers and the other for the PCs. Leave the DC on the default Domain controllers container .
-move all Servers except the DCs to the servers OU.
-Move the PCs to the Workstations OU.
-Create a GPO ( name it for example  Restricted groups for PCs ) and utilize the Restricted group feature of the GP .
-link this GPO to the Workstations OU only. then the LocalPC admin will be added to the PCs only.
0
 
LVL 1

Author Comment

by:JoelArmstrong
ID: 39285324
Ok, I finally realized what I had done.  After adding the localPCAdmins to restricted groups and then adding administrators to "this group is a member of" I was clicking the browse button and adding administrators which added the builtin/administrators on the server.  I had remembered reading somewhere that all is needed is to type the word Administrator.
  The word Administrator has to be there or AD will not push the localPCadmin group to the workstation.  It's working fine now and users don't have server admin rights. "Wheeew!", what a relieve.

Thanks a million for the help.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question