Re: administrator rights for computer

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/14/05


Date: Wed, 14 Sep 2005 11:56:09 -0500

You could use Group Policy Restricted Groups and the "member of" option for
Windows 2000 computers using at least SP4 and XP Pro/2003 computers. When
doing this you need to create an OU with a Group Policy linked to it that
has Restricted Groups configured. Then move the computers [NOT domain
controllers however] that you want to add the global group to the local
administrators group on into that OU. You can also use Restricted Groups to
managed domain groups and you would want to do that on the domain
controllers container. I would consider domain admins to be a very sensitive
group and would consider Restricted Groups to enforce membership of that
group. You should not need very many members of the domain admins group as
much can be done with AD delegation in a domain. --- Steve

http://support.microsoft.com/default.aspx?kbid=810076 --- Resricted Groups
member of
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
 --- Restricted Groups

"APJ" <APJ.1vciu1@mail.mcse.ms> wrote in message
news:APJ.1vciu1@mail.mcse.ms...
>
> Was wondering..
> Is there a way of having an AD group called 'Local PC Admin' where one
> may add domain users as members, then whichever PC these users log
> into, they obtain 'Local PC Administrator rights' on that PC during
> their session.?
> Same as the Domain Admins group members can.. only they get domain
> admin rights obviously..
> This would save having to know the username for each PC and users could
> move around as they do..
> AJ
>
>
>
> --
> APJ
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1808657.html
>



Relevant Pages

  • Re: How do you all manage employee workstations? Looking for sugge
    ... users needed members of those domain groups, ... Use the "Restricted Groups" feature. ... And definitely restrict it to the users who actually need those permissions. ... And you can restrict it to computers on which the software is installed ...
    (microsoft.public.windows.server.sbs)
  • Re: Restricted Groups GPO
    ... The startup script could add the required groups to the local admin group on ... I've only used it to stipulate> what domain groups are members or what local groups - I didn't care that> nobody else could be a member;-) ... > I need to use the Restricted Groups policy setting to enforce> membership in the local Administrators group on member servers and> workstations by certain global groups ...
    (microsoft.public.windows.server.active_directory)
  • Re: Give user Admin rights to all PCs?
    ... With care you can use the GPO Restricted Groups to do this. ... CompAdmins) you create to be a member of Adminstrators ... restricted group for CompAdmins and use the Members ...
    (microsoft.public.windows.server.active_directory)
  • Re: localgroup administrators
    ... The restricted groups policy may add members to groups and if you took the policy away the members would remain. ... > to be a local admin on these 5 machines and not the rest and alice to> be ...
    (microsoft.public.windows.group_policy)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ... Using restricted groups properly doesn't remove anyone from the local admins ... You are using it incorrectly in forcing only group members defined ... Create the gpo in the ou where the Computers reside, ...
    (microsoft.public.windows.server.active_directory)