Domain Global Groups in Workstation Local Admin Groups

From: George (George_at_discussions.microsoft.com)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 10:41:07 -0700

Hello all,

We have functional software Admins, that are responsible for End user
support on workstations where their software installed.

I want to create Global security groups, and populate the workstations local
administrator's group with these Global Security groups. This is easlily
done with GPO using restricted groups policy.

My problem is that I only want our functional software admins to have admin
rights on the workstations that have been identified as needing there
software and support.

Our OU structure for computers is based on Geographical Location. Our users
are structured by department.

Some of the functional software admins need to administer workstations that
cross both geographical, and departmental ou structures. This rules out
creating GPO's and applying them to the entire OU without filtering.

I applied the GPO Restricted Groups policy's at the root of the workstations
OU structure so that all computers would process the policy.

I then created global security groups for the computers that would be
managed by the different functional admins. I also create a matching global
admin security groups that contains the different functional admins usernames
for us in the local administrators group.

I planned on using GPO filters, allowing the restricted groups GPO's created
for each functional administrator to apply to systems that are in their
respective Computer security group. By doing this I could just add a
computer to the computer global security group, and the GPO would apply the
global admin group to the local administrator groups on the workstations that
match the filter.

My problem is that a workstation may need multilple global admin security
groups as local administrators, because the end user has applications that
are managed by different functional admins. Only the first GPO linked to an
OU applies its restricted group policy. This is documented on tech
net(810076). So even though the GPO applies, after checking its filter, only
the first restricted group gets updated on the workstation. Each GPO as it
applies overwrites the settings of the other, rather than applying all GPO
restricted groups policies to the workstation.

Has anyone found a way around this?

Thanks

Relevant Pages

  • Re: 2003 Domain Admins in NT4 Domain
    ... it seems that you only add the 2003\Domain Admins ... admin rights on a workstation in the NT4 domain. ... After adding these two groups into NT4's workstation's local Administrators ... >workstations are actually using a different DNS server. ...
    (microsoft.public.windows.server.migration)
  • Re: Problem using ADMT to migrate computer accounts
    ... Workstations in DOMAIN1 ... workstations) will only contain global group DOMAIN1\Domain Admins, ... a local group to contain another local group. ... > Below is a copy of the agent log. ...
    (microsoft.public.windows.server.migration)
  • Re: Problem using ADMT to migrate computer accounts
    ... >workstations) will only contain global group DOMAIN1 ... \Domain Admins, and NOT ... >a local group to contain another local group. ... Administrators group to each ...
    (microsoft.public.windows.server.migration)
  • Re: Win2K / Netware networking question
    ... > blocking the access to the other admins. ... > rights in NDS to do it, and if I was ever asked to do that (and I ... the Remote Control app to be exclusively user-initiated? ... are we talking Win2k servers or workstations? ...
    (comp.security.misc)
  • RE: Enterprise admins security group missing
    ... domain admins rights in the same domain. ... > requires a user to be a member of the enterprise admins or schema admins ... Both of these security groups can't be found in the AD. ... > authorative restore of the security groups the best approach? ...
    (microsoft.public.windows.server.active_directory)