M9J
asked on
Adding users to local admin group overrides domain admin credentials?
I recently used domain group policy to add specific users to a local security group (local admin)
At first everything appeared fine but then I started to notice that I could no longer remote into machines or check eventvwr as the domain administrator. I could do these things with the user added to the local admin security group via domain group policy. It appears that using GPO to add a specific domain user as a local admin on a workstation over-rode the credentials of a domain administrator. How can this be? Does domain not have priority? I'm sure I can add all domain admins to this group policy but that doesn't seem right.
The policy I edited was: Computer Configuration > Policies > Windows Settings > Security Settings >Restricted Groups
This is in a server 2008 R2 / Win 7 environment (XP machines are out there too)
Thanks,
Mike
At first everything appeared fine but then I started to notice that I could no longer remote into machines or check eventvwr as the domain administrator. I could do these things with the user added to the local admin security group via domain group policy. It appears that using GPO to add a specific domain user as a local admin on a workstation over-rode the credentials of a domain administrator. How can this be? Does domain not have priority? I'm sure I can add all domain admins to this group policy but that doesn't seem right.
The policy I edited was: Computer Configuration > Policies > Windows Settings > Security Settings >Restricted Groups
This is in a server 2008 R2 / Win 7 environment (XP machines are out there too)
Thanks,
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to both of you for the answer.
You selected the wrong suggestion to be your answer. It is not correct that "whatever you set with group policy will be the only users configured", but it is correct what Sandeshdubey wrote: "You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13 "
So it's possible, you only used it the wrong way round.
So it's possible, you only used it the wrong way round.
Yes, my suggestion is only true if you use the top box. Though the statements are correct when only configuring the top box, I completely forgot about the bottom box when I was typing that up. At best mine is a partial answer, though if his was configured via the top box it does explain the behavior he was seeing.
Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13
Alternately you can set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid
Hope this helps