Re: Giving admin rights to a subset of computers

Steve,
Thanks again but I'm still a bit confused. Here's what I have and what I've
tried.
We are small so our users were created at the domain level. All the
computers exist in the 'Computers' folder under the domain. I've created an
OU, 'ATL' that has just 1 test machine in it. Also the global group,
'ATL-Admins', to hold the users I want to give admin rights to is at the
domain level. Should it be there or at the OU level? I also created a new
gpo for the OU. In that gpo I've not defined any policy settins and I've
created a restricted group 'ATL-RG'. On the property sheet of this RG, I've
made the global group 'ATL-Admins' a member of the RG. And made the RG a
member of the 'Administrators' group. After rebooting the client the new
global group is not in the local users and groups. What might I have done
wrong?

Thanks again.

"Steven L Umbach" wrote:

> I would create a new Group Policy in that OU or modify one that you already
> have linked to that OU if it is used ONLY for that OU and you want to apply
> Restricted Groups to all computers in that OU. You would want to create a
> new global group [wrkstadmins or whatever] that you would add users to that
> you want to be administrators on computers in the OU. Then you would want
> that global group to be "this group is a member of" administrators group.
> If you can't browse to administrators group just type in administrators.
> After you are done force Group Policy refresh on your domain computer or
> reboot to see if the new global group is in the local administrators group
> of the domain computers in the OU. If you are still a bit unsure/uneasy
> create a test OU with it's own Group Policy and configure it there and move
> a couple computers into the OU when done to see if it works. --- Steve
>
>
> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:3DC2B523-3E7A-49AA-A8E0-D5798F2F7CFA@xxxxxxxxxxxxxxxx
> > Steve,
> > Thanks for the reply and excuse the following notes and questions as I'm a
> > bit confused and somewhat overwhelmed.
> > I currently have domain 'A' and there is an OU underneath that domain
> > called
> > 'XYZ'. When richt clicking and choosing properties I can get to the Group
> > Policy tab. Do I need to create a new group policy object or should I add
> > the default domain group policy object? Then create the restricted group
> > under that gpo. Once that is done would the group that you suggested
> > below
> > be made a member of the restricted gpo group? And would the restricted
> > gpo
> > be made a member of let's say domain admins?
> >
> > "Steven L Umbach" wrote:
> >
> >> Probably the best way is implement Group Policy Restricted Groups at the
> >> OU
> >> level for the computers you want this to happen on. See the link below
> >> for
> >> more details. I would create a global group and add it to "this group is
> >> a
> >> member of" for administrators at the OU level. Doing it at the OU level
> >> will
> >> prevent the users from being address to the administrators group for the
> >> domain assuming that domain controllers are not in the scope of
> >> management
> >> of that GPO at the OU level which they would not be if all are in the
> >> default domain controllers container. --- Steve
> >>
> >>
> >> http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> >>
> >> "Marty" <Marty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:7B660EFC-C3B8-4019-978D-447BC423C75B@xxxxxxxxxxxxxxxx
> >> >I would like to give a certain user (or group) full administrator rights
> >> >to
> >> >a
> >> > subset of machines in my domain, without making them members of the
> >> > 'Domain
> >> > Admins' or 'Administrators' group. Is this possible?
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: administrative privileage Q.
    ... You could use Group Policy Restricted Groups at the Organizational Unit ... place the computers in the OU where you want him to be a local admin. ... configure Restricted Groups and use "member of" for administrators group. ...
    (microsoft.public.windows.server.security)
  • Re: Default Security Groups
    ... I then follow your steps to apply restricted groups, ... to the computers administrator group i.e not altering any groups/users ... Domain Admins group will be added to local administrators group by ... Click the Group Policy tab, click NEW, and then name the policy. ...
    (microsoft.public.windows.server.migration)
  • Re: Default Security Groups
    ... I then follow your steps to apply restricted groups, ... computers within a domain. ... Domain Admins group will be added to local administrators group by ... Click the Group Policy tab, click NEW, and then name the policy. ...
    (microsoft.public.windows.server.migration)
  • Re: Add a group to local admins
    ... If using Windows 2000 Service Pack 4/XP Pro/W2003 you can use Group Policy ... "member of" administrators at the OU level and move the computers you want ... "startup" script for computers with a script using the net localgroup ... command to add the group to the administrators group on the domain ...
    (microsoft.public.windows.group_policy)
  • RE: Deploy SP2 with Active Directory and GPOs?
    ... In a Windows 2000 or Windows 2003 based domain, ... Group Policy is stored as part of Active ... publish programs to users or computers in the Windows 2000 or Windows 2003 ... After the installation files have been prepared, ...
    (microsoft.public.windowsxp.general)