Lock down users on one machine using GP. Permit same users more rights on another machine. On same domain. Possible?

hi guys

We have a domain and would like to lock down a group of users to a particular server. However, we need those same users to be granted more rights for installing/configuring on a different server which sits on precisely the same domain.

Can this be done at all? If yes, then how does one do that?

Thanks for your help guys
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A KarelinCommented:
Create a group in AD. Add users in this group. Add this group in local admin group on your server where these users can install/configure. I hope these users have rights as domain users and havent elevated rights.

Or you can create GPO for this group that grant more rights through adding in local admin group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YashyAuthor Commented:
Sweet man, don't know why I didn't think of that;)

Do Domain policies override local policies?
A KarelinCommented:
Do Domain policies override local policies?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

YashyAuthor Commented:
Sadly that didn't work, as the actual domain policy we have takes over the local policy. So adding those users locked down on the domain to the local admin on another server didn't permit them to do anything.
A KarelinCommented:
Add this group to local admin group manualy.
YashyAuthor Commented:
That's what we're doing. The user group is locked down for the domain. But when we add this group to the local administrators group on the server, they can't access anything or do much.
A KarelinCommented:
Why did you lock down this group?
A KarelinCommented:
1.      Create a new group for users in Active Driectory that you wish to add to servers local administrator group.
Create a new group for your server. The server must be added to this group.


Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the server you are wanting to give users local administrative rights over. In Security Filtering you must delete Authenticated Users and add the group for server with the server.


Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups


Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"

Add the Restricted Group to the local administrator group
In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"


Once your users receive their updated group policy settings every servers within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation, run "gpupdate /force" in a command window on that workstation.

Add a user or group of users to the Active Directory Restricted Group
When you are ready, or in a position where you need to provide local server admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management Console.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.