Announcement

Collapse
No announcement yet.

Assign Local Admin status through GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Assign Local Admin status through GPO

    Hi,

    I want to add users as Local Admins by using GPO, could someone point me in the right direction?

    Thanks

  • #2
    Re: Assign Local Admin status through GPO

    Either open the "Default Domain Policy" GPO or create a new GPO linked to the relevant OU containing computers. Look in Computer Settings... Windows Settings... Security Settings... RESTRICTED GROUPS

    Add an entry for "BUILTIN\Administrators" and list ALL the AD groups you wish to be a member. Any group NOT in this list will be removed from the local admins group on affected machines.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Assign Local Admin status through GPO

      Hi,

      One more easy trick for you:

      Add a computer startup script at domain level with the following entry:

      "net localgroup administrators Domain\username /add"

      This will do for you.

      Regards,
      Kapil Sharma
      ~~~~~~~~~~~~~
      Life is too short, Enjoy It.

      Comment


      • #4
        Re: Assign Local Admin status through GPO

        And consider adding them to the "Power Users" group on the local machines, rather than Administrators. Just a thought.
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: Assign Local Admin status through GPO

          what can member of administrator can do that power user cannot do?

          Comment


          • #6
            Re: Assign Local Admin status through GPO

            Hi,

            Power users has almost same powers as admins the difference is they can not modify the users created by admins they can only change the properties of users created by themselves. Additionally they can not take the ownership to change predefined permissions on any objects.

            Regards,
            Kapil Sharma
            ~~~~~~~~~~~~~
            Life is too short, Enjoy It.

            Comment


            • #7
              Re: Assign Local Admin status through GPO

              It's interesting, this one, so take a look at http://www.google.co.uk/search?hl=en...+user%22&meta= for some more detail.
              Best wishes,
              PaulH.
              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

              Comment


              • #8
                Re: Assign Local Admin status through GPO

                Thanks everyone.

                By looking at local security settings / Security options we can see big difference in permission between Administrators and power users groups

                Comment


                • #9
                  Re: Assign Local Admin status through GPO

                  Is there a way to remove also ALL from Power users group, same like we do with restricted groups for Local Admins ?

                  Cheers,

                  Comment


                  • #10
                    Re: Assign Local Admin status through GPO

                    This may help you:

                    Code:
                    C:\>net localgroup /?
                    The syntax of this command is:
                    
                    NET LOCALGROUP
                    [groupname [/COMMENT:"text"]] [/DOMAIN]
                                  groupname {/ADD [/COMMENT:"text"] | /DELETE}  [/DOMAIN]
                                  groupname name [...] {/ADD | /DELETE} [/DOMAIN]
                    
                    
                    C:\>
                    So use the /DELETE switch. I presume by the word ALL in your post, you mean the "Everyone" group, anyway, apply the NET LOCALGROUP command as you see fit.
                    Best wishes,
                    PaulH.
                    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                    Comment


                    • #11
                      Re: Assign Local Admin status through GPO

                      Originally posted by aa11 View Post
                      Is there a way to remove also ALL from Power users group, same like we do with restricted groups for Local Admins ?

                      Cheers,
                      Yes, create an entry in the policy for "BUILTIN\Power Users" and don't put anything in it. Any user added to Power Users on a member server will be removed within minutes.


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: Assign Local Admin status through GPO

                        Originally posted by Stonelaughter View Post
                        Originally posted by aa11 View Post
                        Is there a way to remove also ALL from Power users group, same like we do with restricted groups for Local Admins ?
                        Yes, create an entry in the policy for "BUILTIN\Power Users" and don't put anything in it. Any user added to Power Users on a member server will be removed within minutes.
                        It is exact the same way like you do with restricted groups for Local Admins -> use the "Members of this group"-section of the Restrictect Group to add members or no members, the policy will overwrite the present memberslist of the local group.
                        http://technet2.microsoft.com/window....mspx?mfr=true

                        Just create a new resticted group(s) named after the local group(s);
                        • Administrators
                        • Backup Operators
                        • Network Configuration Operators
                        • Power Users
                        • Remote Desktop Users
                        • Offer Remote Assistance Helpers
                        • ect.


                        Note;
                        Choose not to add domain users directly as members to a Restricted Group. It is good practice to create new global security group in AD first (i.e. "Client Power Users" or "Client Network Configuration Operators") and make that group member of the Restricted Group. Then add the users as member to the new security group instead of making them a direct member of the restricted group, unless the account you want to add is a client local account.

                        \Rems

                        EDIT
                        The name of some local Groups can be different on computer with a OS in an other language (and some times also the name of the build-in administrator account can be different).
                        You could create different Restricted Groups for each language - a Restricted group is affective only when the group exists by that name on the local computer.
                        But a much better solution is to use the "Browse" option when adding a New Restricted Group;
                        - install gpmc.msc on a client computer or member server,
                        - 'Add' new Resticted Group -> browse local on your computer (not in AD) for the group (or administrator account).
                        You see no difference in the policy after you created the Resticted Group this way but by doing so the GPO now use the SID instead of the name of the group when the policy is processed. And a SID is language independed. http://www.windowsitpro.com/Articles...2527.html?Ad=1


                        (When you create the 'Administrators' Restricted Group, do not forget to add also the "domain\Domain Admins" as a member of that group)
                        Last edited by Rems; 12th December 2007, 14:40.

                        This posting is provided "AS IS" with no warranties, and confers no rights.

                        __________________

                        ** Remember to give credit where credit's due **
                        and leave Reputation Points for meaningful posts

                        Comment


                        • #13
                          Re: Assign Local Admin status through GPO

                          This is it,
                          thanks very much to all of you for your replies.

                          cheers,

                          Comment

                          Working...
                          X