Re: Domain Users to have Local Admin rights

I tried this, but I still don't think I am doing it right.

I made "ZEROONENETWORKS/HelpDesk" is a member of "Administrators" with no
members inside the Restricted Group, but it still doesn't wanna work. I
loged out then back in. And even restarted.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OxzWIA2aGHA.4520@xxxxxxxxxxxxxxxxxxxxxxx
What Brooster posted only works when you are OK with having
all machines that are with scope of the GPO carrying the Restricted
Group definition for Administrators have identical membership for
their local Administrators group.
This is quite often not possible.
If all of the machines are current versions of Windows at latest
service pack, then one can do an inverted form of using Restricted
Group. Say you have a custom domain group HelpDesk. If in a
GPO linked to OU containing (somewhere) within (subOU structure)
the machines on which HelpDesk should be in the local Administrators
group you define a Restricted Group definition, not for Administrators
but for HelpDesk. Now, the trick is that you do not set anything in
the Members list of the Restricted Group definition but you do set
Administrators in the Member Of list. When that GPO applies to
the subjected machines HelpDesk will be added to Administrators
and what was already in Administrators will remain.
However, keep in mind that GPO application is driven by change,
that is, GPO is reapplied when it is seen the GPO has changed.
The result from this is that if a local admin alters the membership
it will stay altered until the GPO is reapplied. There is a policy that
causes GPOs to be applied always, even if no change has happened,
but keep in mind this will cause work and network traffic approx
every 90 minutes per machine.

Take a look at
http://support.microsoft.com/kb/810076
but do not be put off by the article title (which is slightly inaccurate)

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1255jubreasa613@xxxxxxxxxxxxxxxxxxxxx
well here is the problem. That I am not sure about using Broosters
solution.

We have various admin accounts other then administrator
on some of the client machines, and we do not want to
have it remove those, because some are laptops and they
use those accounts when they login at home. Is there anyway to be able to
keep their current admin accounts also?


"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:ec6NvGwaGHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Brooster posted a solution to your question.

What I would like to add is a warning against using domain administrator
accounts to logon to user computers.
So simply put -- don't use accounts that have domain administrator
permissions for logging on to client computers. Use these accounts only
for working on domain controllers.
For logging on to client computers create new accounts (e.g. admin-mike,
admin-greg, etc) and add them to a group called e.g. Help Desk. Now add
this group to Local Administrator group by using solution proposed by
Brooster.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1254qjd2uso6j84@xxxxxxxxxxxxxxxxxxxxx
Ok we recently installed Microsoft Server 2003 Enterprise Edition on
our PC. The whole domain is working and everyone has thier own login
that works. The only thing is, those users do not have local admin
privledges on the PCs they logon to.

We wish to have a handful of users, HelpDesk, that when they login to
any machine, they automatically get admin privledges on the
workstation.

We tried playing with Group Policy Editor but nopthing at all will
work.









.

Relevant Pages

  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • This can be done easily via GPO
    ... This is very easy to do and it can be done with a GPO setting. ... you want to restrict the local Administrators group on all Windows ... GP refresh interval) it will remove other members of the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add a local user in a Restricted Group GPO
    ... But you can try with one GPO in the start-up login of the computer with one ... Is it possible to add a local user inside a Restricted Group? ... > Administrators group, but I have an application that can't use a Domain ...
    (microsoft.public.windows.group_policy)
  • Re: Local security group
    ... of the local restircted user account is meaning, ... use members list to state Turkey and Domain Admins ... Administrators group containing only Turkey and Domain Admins ... I have tested using a Restricted Group definition in a GPO linked to OU ...
    (microsoft.public.windows.group_policy)
  • Re: Loginscript is lacking credentials.........
    ... of that OU should be added to the local administrators group of the machine ... this overwrites the other members of the ... When I try the "Startup Script" approach, using exactly the code that you ... The GPO runs fine but there has been no changes to ...
    (microsoft.public.windows.server.active_directory)