Announcement

Collapse
No announcement yet.

Assign Admin XP disable

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Assign Admin XP disable

    Was wondering if there was any way to stop another administrator assigning another standard user admin rights on XP machine, like disable access to modifying the administrators group to specific users. This is in a domain environment - the reason being I need some staff to have admin rights, but not to be able to assign or add another user to the Administrators group of the local PC.
    Last edited by dpp; 9th October 2006, 02:47.

  • #2
    Re: Assign Admin XP disable

    Originally posted by dpp
    Was wondering if there was any way to stop another administrator assigning another standard user admin rights on XP machine, like disable access to modifying the administrators group to specific users. This is in a domain environment - the reason being I need some staff to have admin rights, but not to be able to assign or add another user to the Administrators group of the local PC.
    Hi,

    You might try using Restricted Group in your GPO.
    GPO\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

    Create your administrators group in. Next, add members to Members of this group.

    -> Whoever is not define inside the restricted group will not be included.
    *for more details, you may go to...
    http://support.microsoft.com/Default.aspx?kbid=279301

    Hope this will help...
    Just another MCP

    Comment


    • #3
      Re: Assign Admin XP disable

      Yeah i've actually already tried this and it is still in place, however it seems a little flaky as only sometimes when I do a force refresh using gpupdate it removes the users not defined in the security group in the policy, and without a manual force it rarely ever removes the other users. Not sure if theres a way to force policy refresh more often to try and get this method to work a little better.

      Comment


      • #4
        Re: Assign Admin XP disable

        That is strange. Where did you deploy your GPO at? OU? Domain?
        Restricted Group is to be deployed on Computer Accounts rather than User Accounts.
        Just another MCP

        Comment


        • #5
          Re: Assign Admin XP disable

          The policy is directly on the OU containing the computer accounts. It does tend to work occassionly but yeah as I said the usually only on force refresh. Other Group Policies in the same policies do appear to be working fine so yeah that what had me confused

          Comment


          • #6
            Re: Assign Admin XP disable

            Unless you wish to use scripting? That is the area which I am not sure of..
            Else you may want to check out your GPO deployment using RSoP.

            By the way, you want to restrict your domain administrators from adding users to local administrators group? when you say "but not to be able to assign or add another user to the Administrators group of the local PC."
            Just another MCP

            Comment


            • #7
              Re: Assign Admin XP disable

              yeah sorry probably not worded real well there, basically in our workplace certain staff members need admin rights to use specific software (It wont work otherwise, very poor design). These people are in a AD groups and this AD group is in the administrators group of every PC. The trouble is some of these staff members are adding in other specific users we do not want to have any local admin rights, this is what we are trying to stop.

              So it does not matter if domain admins can no longer add people to the admin group, as they can just add them into the AD group we have created for this purpose.

              Comment


              • #8
                Re: Assign Admin XP disable

                I will let you know if I can find out on that.
                Meanwhile you might want to try redeploy a test GPO of similar model to a test OU.
                Set a new GPO just to deployed your Restricted Group on that OU.
                Use gpresult or RSoP to verify it is working well.

                seems like I cant help you much.. sorry pal..
                Just another MCP

                Comment

                Working...
                X