Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

IT Staff Group Memberships for Workstation Setup

I tried earlier to get the needed information on this at:
I didn't quite get what I needed and had to press on.
I now have a couple of IT folks who are set up as Account Operators at least.
But this isn't adequate for them to get the Windows Firewall Rules set up on a new computer.
I've only been able to do that as a Domain Admin - which I don't want to do and don't want THEM to do.

What minimum Membership (or other settings or privileges) do I need to give them to be able to adjust the firewall (and other things in setting up a new workstation?).
Avatar of arnold
Flag of United States of America image

Account operators manage user account.
Server operators get system access.
You could use GPO with a sevurity group that is added as local admin on workstations.
Restricted group.

Firewall settings can be managed through GPO
Yes, they need to be a local admin on the workstation.

Use Group Policy restricted groups to make them local admin.

Start with a pc in a test OU to test the GPO before deoying to be rest of the organization.
Avatar of hypercube


I've already done that .....
Which? Restricted group and assigning these individuals as local admin's on workstations?
Or use GPO to control firewall settings on workstations?

Or if you have an enterprise anti/virus security app, it would have a centralized way to control the clients installed on each workstation.
"Use Group Policy restricted groups to make them local admin" is what has been set up.
Since this is a new computer setup, and I'm not doing the hands-on work, wonder about things like gpupdate?
gpupdate is a way to trigger a refresh, though a system refreshes when it is booted.
I.e. If you want to test, using gpupdate /force will direct the system to refresh gpos for computer and loged in user.
On change, the user will need to logout for the changes, or the system rebooted for computer GPO.

Using gpmc on a server and the group policy wizard, you can see how and whether the gpos will be reflected on a system and a loged in user.

The report will indicate which GPO is applied, which settings from which GPO control.

Peace default domain policy and default domain controller policy alone.
To add settings it is often better to create specific, descriptively named gpos
This is also to avoid conflicting settings in multiple gpos.
Since I'm using the GPO, is there a good command to see the effect of the result for a User on a workstation?
It would be useful to be able to ask: "Does this user have local admin privileges?"  It doesn't show up using
net user username /domain
and looking in the Local Group Memberships.
I'm not too surprised in view of how it's made to happen.
Maybe there's a simple test as compared to a "question" via a command, eh?
Thou have to use the group policy management console (administrative tool) it is an installable feature.
Within gpmc, look for group policy wizard
There is the group policy planner wizard that provides a way for hypothetical ..

In the group policy wizard, you can select the computer/workstation from the AD against which object it will run, on the second screen deals with which user on the user GPO you wish to check.

The result will be a representation of the application of computer and user gpos on the ......

The results include the representation of the settings and then you can see whether the setting of interest is applied and if not potentially another GPO sets the setting before the GPO you thought will set the setting.
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you both!