Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Lock down users on one machine using GP. Permit same users more rights on another machine. On same domain. Possible?

Posted on 2014-11-13
8
Medium Priority
?
383 Views
Last Modified: 2014-11-13
hi guys

We have a domain and would like to lock down a group of users to a particular server. However, we need those same users to be granted more rights for installing/configuring on a different server which sits on precisely the same domain.

Can this be done at all? If yes, then how does one do that?

Thanks for your help guys
Yashy
0
Comment
Question by:Yashy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 5

Accepted Solution

by:
A Karelin earned 2000 total points
ID: 40439512
Create a group in AD. Add users in this group. Add this group in local admin group on your server where these users can install/configure. I hope these users have rights as domain users and havent elevated rights.

Or you can create GPO for this group that grant more rights through adding in local admin group.
0
 
LVL 1

Author Comment

by:Yashy
ID: 40439522
Sweet man, don't know why I didn't think of that;)

Do Domain policies override local policies?
0
 
LVL 5

Assisted Solution

by:A Karelin
A Karelin earned 2000 total points
ID: 40439525
Do Domain policies override local policies?
Yes
http://technet.microsoft.com/en-us/library/cc785665%28v=ws.10%29.aspx
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:Yashy
ID: 40439560
Sadly that didn't work, as the actual domain policy we have takes over the local policy. So adding those users locked down on the domain to the local admin on another server didn't permit them to do anything.
0
 
LVL 5

Expert Comment

by:A Karelin
ID: 40439565
Add this group to local admin group manualy.
0
 
LVL 1

Author Comment

by:Yashy
ID: 40439569
That's what we're doing. The user group is locked down for the domain. But when we add this group to the local administrators group on the server, they can't access anything or do much.
0
 
LVL 5

Expert Comment

by:A Karelin
ID: 40439575
Why did you lock down this group?
0
 
LVL 5

Expert Comment

by:A Karelin
ID: 40439581
1.      Create a new group for users in Active Driectory that you wish to add to servers local administrator group.
Create a new group for your server. The server must be added to this group.

2.      

Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the server you are wanting to give users local administrative rights over. In Security Filtering you must delete Authenticated Users and add the group for server with the server.

3.      

Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups

4.      

Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"

5.      
Add the Restricted Group to the local administrator group
In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"

6.      

Once your users receive their updated group policy settings every servers within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation, run "gpupdate /force" in a command window on that workstation.

7.      
Add a user or group of users to the Active Directory Restricted Group
When you are ready, or in a position where you need to provide local server admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management Console.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question