Re: admin group in OU - help please

From: Alaa Abdelhalim [MSFT] (alaa_at_online.microsoft.com)
Date: 06/20/03

• Next message: Nick Coons: "Re: Windows2000 Domain - Security on Local Machine."
• Previous message: kb: "urgent: how to document ntfs perms"
• In reply to: Alaa Abdelhalim [MSFT]: "Re: admin group in OU - help please"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 19 Jun 2003 15:21:03 -0700

Hello Sigitas,
A third solution that could be even easier to implement for your specific
scenario has been suggested as well. Here it is:
1. Put the machines of the users you want to target in a special OU.
2. Define a GPO that targets the computers on that OU and edit the GPO to
define the local Administrators group to be
a restricted group in Group Policy settings (under computer configuration -
Windows Settings - Security Options - Restricted Groups)
3. Define the restricted Administrators group to contain Domain Admins and
Admin123.

This will be applied on all computers targeted by that GPO. Notice, that
this targets computers not users, and doesn't apply necessarily at logon
time, but at computer startup time and any time the security group policy is
refreshed (default every 8 hours).

Thank you

-- 
Alaa Abdelhalim [MSFT]
-----
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
"Alaa Abdelhalim [MSFT]" <alaa@online.microsoft.com> wrote in message
news:uqjItMHNDHA.1552@TK2MSFTNGP10.phx.gbl...
> Hello Sigitas,
> Sorry it took me some time to get back to you as I had forwarded your
> request to some people with more experience in the group policy area.
>
> There are 2 solutions that you can use:
> 1. You could write a "Startup Script" (not "logon script) that runs
whenever
> the machine boots up and enumerates the members of PowerUsers on the local
> machine and then adds them to the local Administrators group. This script
> will run in system context and can be specified in a GPO on the OU or
> domain.
> 2. You can use Windows Installer in conjunction with group policy to
deploy
> a "managed installer" that runs whenever the user logs on and adds the
> current user (after they're checking they're a power user) to the local
> administrators group.
> Such an installer would run in an elevated context and thus would be able
to
> accomplish the task. You shouldn't need to install an actual problem, but
> rather you would use what's called "custom action" for the installer to do
> the job. For more information on how to do this, here are a couple of
> pointers:
> Group Policy Software Installation:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/datacenter/softwareinstallationhowto.asp
> About Windows Installer:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/about_windows_installer.asp
>
> I hope this has been helpful.
> Thank you
>
> -- 
> Alaa Abdelhalim [MSFT]
> -----
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
>
>
>
> "Alaa Abdelhalim [MSFT]" <alaa@online.microsoft.com> wrote in message
> news:#ZDYSVRMDHA.2884@tk2msftngp13.phx.gbl...
> > Hello Sigitas,
> > Your observation is correct. I had forgotten about your
non-administrative
> > users being unable to use this method.
> > Let me get back to you with a better answer.
> >
> > Thank you
> >
> > -- 
> > Alaa Abdelhalim [MSFT]
> > -----
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Please do not send e-mail directly to this alias. This alias is for
> > newsgroup purposes only.
> >
> >
> >
> > "Sigitas Skublickas" <sskublickas@acf.hhs.gov> wrote in message
> > news:Ol4t$0GMDHA.1216@TK2MSFTNGP11.phx.gbl...
> > > Thanks for you reply. But i still have one problem. If the user on
who's
> > > macine I'm starting this script
> > > is not in a Local admin group the i get script error: Access Denied.
> > > If i login with a user that has local admin rights then the script
adds
> > user
> > > from OU to local admin
> > > group and everything is ok
> > > What should I do to fix the problem with a users who no not have local
> > admin
> > > privilages?
> > > And - Is there a way how I can complete this task using GPO's ?
> > >
> > > For example be default Domain Admins group is somehow added
> automatically
> > to
> > > all machines
> > > local admin group at the time of joining them to domain. Can I add
some
> > > other groups the same
> > > way ?
> > >
> > > S
> > >
> > > "Alaa Abdelhalim [MSFT]" <alaa@online.microsoft.com> wrote in message
> > > news:uQGml3FMDHA.2892@TK2MSFTNGP10.phx.gbl...
> > > > You need to decide which user accounts are going to have Admin123 as
> an
> > > > administrator on their machines (e.g. the users in that OU) and then
> set
> > > > their logon scripts to run this command:
> > > > net localgroup administrators %userdomain%\admin123 /add
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Alaa Abdelhalim [MSFT]
> > > > -----
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > Please do not send e-mail directly to this alias. This alias is for
> > > > newsgroup purposes only.
> > > >
> > > >
> > > >
> > > > "Sigitas Skublickas" <sskublickas@acf.hhs.gov> wrote in message
> > > > news:#$EJe$EMDHA.212@TK2MSFTNGP10.phx.gbl...
> > > > > Hello everybody. I have this situation:
> > > > >
> > > > > I created OU in AD. Granted rights to some users so that they can
do
> > > admin
> > > > > stuff for
> > > > > OU objects. Also I created Admin123 group in that OU.  I want this
> > > > Admin123
> > > > > group
> > > > > be added to a client machines local admin group at a  logon time.
> What
> > > > > should I configure?
> > > > >
> > > > > thanks!!
> > > > >
> > > > > S
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Next message: Nick Coons: "Re: Windows2000 Domain - Security on Local Machine."
• Previous message: kb: "urgent: how to document ntfs perms"
• In reply to: Alaa Abdelhalim [MSFT]: "Re: admin group in OU - help please"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: admin group in OU - help please ... You can use Windows Installer in conjunction with group policy to deploy ... Please do not send e-mail directly to this alias. ... >> macine I'm starting this script ... >> is not in a Local admin group the i get script error: ... (microsoft.public.win2000.security) Re: Automatically making AD users local administrators on computers in SBS 2003 ... best" when assigning user rights. ... provide the client this account and password. ... can use this special local administrator account. ... > This will automatically give each user that logs in local Admin rights. ... (microsoft.public.windows.server.sbs) Re: Removing Local Admin Rights... ... > None of our users have admin rights. ... Some software will run only under local admin user accounts. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ... (Security-Basics) RE: Correct setup of XP-Pro computer on Win2K Domain ... Setting up a local account on the xp machine does not result in local admin ... rights for that user, you need to put them in the local admin group. ... > inconsistent problems with security when I setup a new XP-Pro workstation. ... (microsoft.public.windowsxp.setup_deployment) Re: User accounts being deleted ... doesn't run correctly unless the user has local admin ... rights to their system. ... >Hi Andy, ... >> noticed that users accounts on their workstations had ... (microsoft.public.backoffice.smallbiz2000)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint