Re: Help needed setting up roaming administrator

From: Steve Hull (msnnews.REMOVE_TO_REPLY_at_steve-hull.com)
Date: 08/28/04

• Next message: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Previous message: Kublai Khan: "Security and privacy with MS programs."
• In reply to: Steven L Umbach: "Re: Help needed setting up roaming administrator"
• Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 28 Aug 2004 10:26:06 -0400

Thanks, Steve (and Paul).

I tried the Restricted Groups approach: created a security group
called "Roaming Local Admins" and added several user accounts. I also
created an OU and put the computers in it that I want to use my
Roaming Local Admins group. Then I added a GPO to the OU and created
an entry in Restricted Groups for the "Roaming Local Admins" security
group.

However, in looking at all the options available in the GPO, I don't
see how to make the Roaming Local Admins group a member of the local
Administrators group on the computers in my OU. Although there are
many options that let me assign most of the functionality of a local
admin to my Restricted Group, I don't see any option that lets me add
members to a computer's local Administrators group.

Next, I set up a startup script with the "net localgroup
administrators mydomain\Roaming Local Admins /add" command.
(Actually, I had to put quotes around the domain name\group name.)
That did the trick!

Thanks to both of you. I learned a lot.

- Steve

On Fri, 27 Aug 2004 15:13:56 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>As Paul mentions Restricted Groups is one option but it probably will remove existing
>members of the local administrators group from computers on the container where it is
>implemented. Another option is a "startup" script implemented via Group Policy to
>computers within the scope of influence of the policy such as the Organizational Unit
>level. You can use the net localgroup command. Use net help localgroup for more
>information at the command prompt. For instance to add domain user Bubba to the Local
>Administrators group use [ net localgroup administrators mydomain\Bubba /add ]. The
>command line tool cusrmgr can also do the same with a batchfile. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241 --- Group Policy
>scripts and how to configure
>
>"Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in message
>news:MPG.1b98bc09e8ded3d0989a36@msnews.microsoft.com...
>> In article <dq5ti0pgulb811ce1c12h2vgotj1967bdv@4ax.com>, in the
>> microsoft.public.win2000.security news group, Steve Hull
>> <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
>>
>>> This leads to another question. I really don't want to walk around to
>>> each workstation and manually add DOMAIN\JOE to the local admins
>>> group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
>>>
>>
>> You can do this with the Restricted Groups option in Group Policy. You
>> really should read up on the feature (in help, and on the Microsoft web
>> site) before doing this however. You need to make sure that you set the
>> policy at the right place (for example, if you do this at the domain
>> level, you're going to wind up adding the account to the Administrators
>> group on your Domain Controllers as well as the workstations, which you
>> might not want to do). You also want to make sure that you keep the
>> default users and groups in the local Administrators group.
>>
>> --
>> Paul Adare
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>

• Next message: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Previous message: Kublai Khan: "Security and privacy with MS programs."
• In reply to: Steven L Umbach: "Re: Help needed setting up roaming administrator"
• Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Help needed setting up roaming administrator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Basic User Setup ... You could user the computer configuration "restricted groups" to create a global ... restricted groups to enforce the membership of the domain computers in that OU ... want to wipe out current membership of the local administrators group in that OU ... (microsoft.public.win2000.group_policy) Re: Restricted Groups issue ... > Keep in mind that Restricted Groups will enforce membership of the ... > Groups on those computers, then I would just manually add those users to ... > the local administrators group on their workstations as it sounds like you ... (microsoft.public.windows.group_policy) Re: Changing default rights to users of network clients. ... just their computers or a less secure option is to use "restricted groups" ... other group you create] to the local administrators group for the computers ... I have a network with a mix of Windows ... (microsoft.public.win2000.security) Re: restricted groups for local admin rights ... First off be sure to use Restricted Groups at the Organizational Unit level ... way you can add a global group to the administrators group without affecting ... the current membership of the local administrators group on the computers ... strictly enforce membership of the local administrators group. ... (microsoft.public.windows.group_policy)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint