Announcement

Collapse
No announcement yet.

Domain users to Local Desktop Admins?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain users to Local Desktop Admins?

    Hi Sirs,

    Is there some other ways to assign a regular domain user as administrators of desktops so they can support (install, troubleshoot etc..) other regular users.
    Im thinking of adding those selected domain users to the administrators group of the local desktop. The thing is we have about a hundred desktops, and i will be doing it (adding selected domain users to Local desktop Admin Group) per desktop but that would take a long time. Is there a faster or better way?

    Thanks
    Ronuel
    MCP
    There is only one way to find Out..Its to try it and/or Do it...

  • #2
    Re: Domain users to Local Desktop Admins?

    Group policies my friend, group policies...

    You can set restrictive groups in two ways:
    • Add a domain group to local group, without restricting access.
    • Add a domain group, and prevent that others are added manually.


    A short note on the second part:
    You can still add users manually, but they will be removed again after policy is refreshed. The default refresh rate on member servers is 90 to 120 minutes.

    You can find restrictive groups in the Machine configuration -> Windows Settings -> restrictive groups.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: Domain users to Local Desktop Admins?

      Originally posted by Killerbe View Post
      • Add a domain group to local group, without restricting access.
      I dont understand Sir.. Should i do this in domain Gp or Logal GP. And adding the domain group to local group meaning I will still be adding Groups one by one to hundred machines..
      Ronuel
      MCP
      There is only one way to find Out..Its to try it and/or Do it...

      Comment


      • #4
        Re: Domain users to Local Desktop Admins?

        you should do it on the Domain Group Policy (not on every local machine policy) , on the OU which the Computer objects are.

        Comment


        • #5
          Re: Domain users to Local Desktop Admins?

          You can start by creating a Security group for the users you intend to do these admin tasks. Then crete a GPO that links to the intended OU where all the computer accounts will be.
          You can then edit the GPO to add the Security Group you created before to the Local Administrators Group in two ways.

          1- Through a Startup scipt

          Create a batch file with the following syntax: net localgroup Administrators "Domain\Security_Group_You_CreatedBefore" /Add Asign the script as a Startup script.

          2- Through a Restricted Groups Config.

          Edit the GPO in the following:
          Computer Config | Windows Settings | Security Settings| Restricted Groups

          Have a look at this article for more info on Restricted Groups: http://www.windowsecurity.com/articl...ed-Groups.html

          Ta
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Domain users to Local Desktop Admins?

            Be careful with restricted groups.
            If you apply restriced groups it will override current local groups. And everytime the GPO is refreshed all users and groups that are in the meanwhile added to local groups will be removed by restricted groups

            Im my case, I needed to find out on a hard way
            Last edited by alien_ri; 13th October 2008, 22:28.

            Comment


            • #7
              Re: Domain users to Local Desktop Admins?

              Originally posted by alien_ri View Post
              Be careful with restricted groups.
              If you apply restriced groups it will override current local groups. And everytime the GPO is refreshed all users and groups that are in the meanwhile added to local groups will be removed by restricted groups

              Im my case, I needed to find out on a hard way
              Not true..

              As i stated before, there are two ways to set restricted group.
              Either just adding leaving the local group untouched, or restrictive in which it will remove all members and only alows the group you have defined.
              [Powershell]
              Start-DayDream
              Set-Location Malibu Beach
              Get-Drink
              Lay-Back
              Start-Sleep
              ....
              Wake-Up!
              Resume-Service
              Write-Warning
              [/Powershell]

              BLOG: Therealshrimp.blogspot.com

              Comment


              • #8
                Re: Domain users to Local Desktop Admins?

                Incorrect. If you use the "Restricted Groups" setting in Group Policy, the group you specify has the membership you specify in the policy. Any members not listed in the policy will be stripped from the group.

                I would be interested to know what two methods you're talking about?


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment


                • #9
                  Re: Domain users to Local Desktop Admins?

                  Understand the use of Restricted Groups

                  If you create a Restricted Groups policy for a group, any users and groups that are not specified as members of the group within the policy are removed from the group. For example, if you create a Restricted Groups policy for the local Administrators group, and the newly created policy specifies only the Domain Admins group as members, all other members of the local Administrators group (including any local accounts) are removed from the local Administrators group when the policy is applied. Note that if the Restricted Groups members are defined in more than one GPO, only the members that are defined in the GPO with the highest precedence are applied. This also applies to the groups that the group can be a member of.

                  http://technet.microsoft.com/en-us/l.../cc781760.aspx

                  Comment


                  • #10
                    Re: Domain users to Local Desktop Admins?

                    In restrictive groups you have the "group", the "members" and "the members of".

                    If you set group: Administrators

                    Members : Domain\Support group

                    Then the support group is member of the administrators group, all the the rest is removed.

                    But if you set group: Domain\Support Group

                    Members of: administrators

                    Than the Domain\support group is added to the local administrators group without removing the allready configured accounts.
                    Last edited by Killerbe; 14th October 2008, 12:41. Reason: typo
                    [Powershell]
                    Start-DayDream
                    Set-Location Malibu Beach
                    Get-Drink
                    Lay-Back
                    Start-Sleep
                    ....
                    Wake-Up!
                    Resume-Service
                    Write-Warning
                    [/Powershell]

                    BLOG: Therealshrimp.blogspot.com

                    Comment


                    • #11
                      Re: Domain users to Local Desktop Admins?

                      I believe this is true, however I cannot confirm this without experimenting. I know it certainly *used* to be possible to add rather than replace, but the wording in the screenshots I saw along with the documentation were quite different to the menu I see on our DC. I flattened my testbed last night but am planning to get 2003 Standard up and running shortly to test something else out. If I remember, I'll investigate this too.
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Domain users to Local Desktop Admins?

                        Few days ago I used MEMBERS and next morning I had problem with some users that needed to have local admin rights. Idea was to put Helpdesk group to clients computers as memebers of Local Admin Group

                        I just tested MEMBERS OF on few comupter accounts and it's working just as Killerbe told us. I will leave this for a few days, to see if there will be some strange things... after that, if results satisfies me I'll apply it to whole OU

                        Comment


                        • #13
                          Re: Domain users to Local Desktop Admins?

                          That's fantastic. Thanks Killerbe I was not aware that the "Member Of" tab existed in the Restricted Groups policy. However you'd have to be careful that the TARGET group was not also a member of OTHER groups; or you'd have the same problem in the opposite direction....


                          Tom
                          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                          Anything you say will be misquoted and used against you

                          Comment


                          • #14
                            Re: Domain users to Local Desktop Admins?

                            Can you tell us which "problems" you are talking about?
                            I didn't find any problems today on my test group of computers

                            Comment


                            • #15
                              Re: Domain users to Local Desktop Admins?

                              Let's say you wanted to add GS_Users2 to BUILTIN\Administrators. You add "GS_Users2" as a Restricted Group, and in the Member Of tab, you add "BUILTIN\Administrators". Bingo - sorted.

                              HOWEVER

                              If GS_Users2 was also a member of GS_Users3 BEFORE you did this, it would not be any longer... because the "Member Of" tab would be populated from the policy, and would only include "BUILTIN\Administrators". You would also have to include "GS_Users3" on the Member Of tab of the policy.


                              Tom
                              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                              Anything you say will be misquoted and used against you

                              Comment

                              Working...
                              X