N00b2015
asked on
Admin rights GPO
Hi all, i was wondering if you could help.
I've have recently had to use GPO to remove users local admin rights to their PC's. Due to the environment i work in, they are able to opt in and out of this (don't ask). So, i have setup two OU's "Admins" and "Non_Admin".
Non Admins have the below setting -
Comp Conf --> Pref --> Control Panel Settings --> Local Users and Groups
The policy removes any local rights and then adds only domain admins.
Fine, just the way i want it. Now for my query...
When i move computers to the "Admins" OU i have to manually add their domain accounts back (being removed from the above policy) via Computer Management --> Local Users and Groups --> Groups --> Administrators
I was hoping i could find away in GPO to set something under "Admins" to add just* their domain accounts back in!
Just a time saver really and would really appreciate any ideas. I'm sure there is a way!
Thanks as always,
Danny
I've have recently had to use GPO to remove users local admin rights to their PC's. Due to the environment i work in, they are able to opt in and out of this (don't ask). So, i have setup two OU's "Admins" and "Non_Admin".
Non Admins have the below setting -
Comp Conf --> Pref --> Control Panel Settings --> Local Users and Groups
The policy removes any local rights and then adds only domain admins.
Fine, just the way i want it. Now for my query...
When i move computers to the "Admins" OU i have to manually add their domain accounts back (being removed from the above policy) via Computer Management --> Local Users and Groups --> Groups --> Administrators
I was hoping i could find away in GPO to set something under "Admins" to add just* their domain accounts back in!
Just a time saver really and would really appreciate any ideas. I'm sure there is a way!
Thanks as always,
Danny
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forgot to paste reference link
https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/
https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/
ASKER
Thanks Mahesh!! That's great.
What you can do is target domain admins group and add it to local admin group on all workstations without removing existing members
If you know who should be admin on. Which workstation, probably somebody can write code to add individual users to respective workstation