Joel Armstrong
asked on
Need to Grant local admin rights to xp computers from Active Directory
I have large network with mostly xp users and some win7 users. I want to give some users local admin rights to their computers from Active directory. I have tried creating a GPO and linking it to an OU containing the target computers. Then in restricted groups of the GPO I added the group I wanted to have local admin rights, but when the user logs in they also have admin rights to the server and all the shares. Is there any hope?
Shane McKeown
If they have admin rights to the server and shares its because the group you added to the Restricted groups has those rights...can you not use a completely seperate group that isn't an admin group on the server?
This should work the same way on XP as it does on Windows 7. See image attached.
ww-admin.jpg
ww-admin.jpg
ASKER
The group create was new group called "localPCadmins". The users were added to that group. localPCadmins was added to restricted groups and made a member of administrators. How do you add to the local administrators group of a workstaton and not a server. I have attached a file.
restrictedGroups.bmp
restrictedGroups.bmp
I belive you have to do it from the machine. Login as administrator, add the user to the administrators group for the local machine and that should work. That's how I do it.
That tells me you have BOTH servers and workstations in the same OU? Which is why they are now admins on the server...
Any reason you have workstations and servers in the same OU? That's not a good design...
What you have done is correct - only if the machines are in a seperate OU...
Any reason you have workstations and servers in the same OU? That's not a good design...
What you have done is correct - only if the machines are in a seperate OU...
ASKER
The server is in the same container but a different OU. The domain is corp.local and the OU is corp.local/test. No servers are under the test OU.
Are you saying that after running and applying that GPO that the 'localPCadmins' group was added to the server? If so then somehow the server got the GPO...
On the server check the Local Admins group - is this a DC or a member server?
If they are in then remove the group...
On the server check the Local Admins group - is this a DC or a member server?
If they are in then remove the group...
ASKER
The localPCadmins are in an OU called Groups. The server is a DC. When I add administrators in restricted groups this is how it's added. See file.
There are also two groups that were built into 2008, PC Administrators, and PC Power Users. I assume the are for the same thing and do the same thing if I add them to a GPO in the same manner.
localPCadmins.bmp
There are also two groups that were built into 2008, PC Administrators, and PC Power Users. I assume the are for the same thing and do the same thing if I add them to a GPO in the same manner.
localPCadmins.bmp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it seems that you modified the restricted groups on some GPO that is linked to the top domain. or the domain controllers container .
-you have to create two OUs : one for your servers and the other for the PCs. Leave the DC on the default Domain controllers container .
-move all Servers except the DCs to the servers OU.
-Move the PCs to the Workstations OU.
-Create a GPO ( name it for example Restricted groups for PCs ) and utilize the Restricted group feature of the GP .
-link this GPO to the Workstations OU only. then the LocalPC admin will be added to the PCs only.
-you have to create two OUs : one for your servers and the other for the PCs. Leave the DC on the default Domain controllers container .
-move all Servers except the DCs to the servers OU.
-Move the PCs to the Workstations OU.
-Create a GPO ( name it for example Restricted groups for PCs ) and utilize the Restricted group feature of the GP .
-link this GPO to the Workstations OU only. then the LocalPC admin will be added to the PCs only.
ASKER
Ok, I finally realized what I had done. After adding the localPCAdmins to restricted groups and then adding administrators to "this group is a member of" I was clicking the browse button and adding administrators which added the builtin/administrators on the server. I had remembered reading somewhere that all is needed is to type the word Administrator.
The word Administrator has to be there or AD will not push the localPCadmin group to the workstation. It's working fine now and users don't have server admin rights. "Wheeew!", what a relieve.
Thanks a million for the help.
The word Administrator has to be there or AD will not push the localPCadmin group to the workstation. It's working fine now and users don't have server admin rights. "Wheeew!", what a relieve.
Thanks a million for the help.