Announcement

Collapse
No announcement yet.

Local Admin on all machines and add comp to domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Local Admin on all machines and add comp to domain

    Hello all,

    I have been doing some research on how to do these two things, but I don't seem to be having much luck on these specific issues. I currently have domain admins, which of course has all of the system administrators. I recently created a group called Desktop Support, which will house the...can we guess...desktop support people.

    I need this desktop support group to have two things:
    1. The ability to add computers to the domain.
    2. Setup the group as a local administrator on all client PCs (not servers).

    As for my computer name structure, they are in different OUs. So when I add a machine to the domain, it ends up in the Computers folder. After that, I move the computer into a different OU called either Laptop, Desktops or Servers.

    Thank you for taking a look and reading. If you have any suggestions, I thank you in advance.

  • #2
    Re: Local Admin on all machines and add comp to domain

    I am sorry, I guess I missed the GPO forum. I will post this there.

    Once again, sorry.

    Comment


    • #3
      Add domain group to local admin and add a pc to domain

      Hello all,

      I have been doing some research on how to do these two things, but I don't seem to be having much luck on these specific issues. I currently have domain admins, which of course has all of the system administrators. I recently created a group called Desktop Support, which will house the...can we guess...desktop support people.

      I need this desktop support group to have two things:
      The ability to add computers to the domain.
      Setup the group as a local administrator on all client PCs (not servers).

      As for my computer name structure, they are in different OUs. So when I add a machine to the domain, it ends up in the Computers folder. After that, I move the computer into a different OU called either Laptop, Desktops or Servers.

      Thank you for taking a look and reading. If you have any suggestions, I thank you in advance.

      Comment


      • #4
        Re: Local Admin on all machines and add comp to domain

        A Mod can move the post instead of you double posting..

        To answer your question, take a look at Restricted Groups in the GPO. Add the group in the local administrators that way. Then, you might want to delegate control over the computer objects in the OU where desktops are to the same group, as I suppose they will be joining machines to the domain etc..
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: Add domain group to local admin and add a pc to domain

          We have two groups:

          Desktop Support: gGpl_AddGrouptoLocalAdminsGroup
          Domain Admins: Domain Admins

          We add both groups to all Local Administrators groups on workstations by GPO:

          Computer Configuration\Windows Settings\Security Settings\Restricted Groups
          GroupName = Administrators
          Members = myDomain\gGpl_AddGrouptoLocalAdminsGroup, myDomain\Domain Admins

          Of course you apply this GPO to the OU with your workstations as your servers will be in their own, seperate OU. Your Desktop users should be in the "gGpl_AddGrouptoLocalAdminsGroup" group.

          As for adding computers to the domain, edit "Default Domain
          Controller" group policy under "Computer Configuration\Windows
          Settings\Security Settings\Local Policies\User Rights Assignment\". Here
          look for policy named "Add workstations to domain" and double click on it.

          Now add the group "gGpl_AddGrouptoLocalAdminsGroup" to this policy.

          Wait for the replication to finish between the DCs and your help desk
          personnel is now able to add workstations to domain.
          |
          +-- JDMils
          |
          +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
          |

          Comment


          • #6
            Re: Add domain group to local admin and add a pc to domain

            I appreciate you getting back to me on this. I have been doing research and stumbled across the restricted groups policy. I had a question about the way it works though. If I setup restricted groups, can I still add individual users to the local admin group? Many of my users need to be local admins on their machines because of the type of work and software they do/use. This is something I will need to test.

            As for the adding machines to the domain, I did edit that GPO but it doesn't seem to help with anything. My support group is still having problems adding machines to the domain. Anyone have any ideas about what could be causing this?

            Comment


            • #7
              Re: Local Admin on all machines and add comp to domain

              Originally posted by gepeto View Post
              A Mod can move the post instead of you double posting..

              To answer your question, take a look at Restricted Groups in the GPO. Add the group in the local administrators that way. Then, you might want to delegate control over the computer objects in the OU where desktops are to the same group, as I suppose they will be joining machines to the domain etc..
              Thank you for the response.

              It it possible to have the mods delete this post or lock it or something....

              Comment


              • #8
                Re: Local Admin on all machines and add comp to domain

                Moved to GPO forum at OPs request
                And merged with the other thread

                Reasons not to double post number 403.5......
                Last edited by Ossian; 16th May 2008, 10:50.
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Add domain group to local admin and add a pc to domain

                  Originally posted by JDMils View Post
                  We have two groups:

                  Desktop Support: gGpl_AddGrouptoLocalAdminsGroup
                  Domain Admins: Domain Admins

                  We add both groups to all Local Administrators groups on workstations by GPO:

                  Computer Configuration\Windows Settings\Security Settings\Restricted Groups
                  GroupName = Administrators
                  Members = myDomain\gGpl_AddGrouptoLocalAdminsGroup, myDomain\Domain Admins

                  Of course you apply this GPO to the OU with your workstations as your servers will be in their own, seperate OU. Your Desktop users should be in the "gGpl_AddGrouptoLocalAdminsGroup" group.

                  As for adding computers to the domain, edit "Default Domain
                  Controller" group policy under "Computer Configuration\Windows
                  Settings\Security Settings\Local Policies\User Rights Assignment\". Here
                  look for policy named "Add workstations to domain" and double click on it.

                  Now add the group "gGpl_AddGrouptoLocalAdminsGroup" to this policy.

                  Wait for the replication to finish between the DCs and your help desk
                  personnel is now able to add workstations to domain.

                  This works great, but the only problem I have is that if I do this to all of my computers in the domain, it overwrites what is currently in the local administrators group. The majority of my users need to be a local admin on their box. Is there a way around this...or maybe a GPO that allows you to create local groups on the machine itself.

                  Thank you once again.

                  Comment


                  • #10
                    Re: Local Admin on all machines and add comp to domain

                    I figured out what I did wrong with the restricted groups. I setup the reverse...I had it overwrite instead of add my domain group to the local group. Sorry...my brain is fried.

                    Now I just need to figure out why I can't setup my desktop support group to add machines to the domain. I added them to the GPO and delegated control to them, but it still doesn't seem to be working. I am getting an access is denied error.

                    Comment


                    • #11
                      Re: Local Admin on all machines and add comp to domain

                      Sounds like you delegated account operator control to this team? The Account Operator group does not grant Read permissions on the built-in OU, so you need to fix your permissions.

                      Use the delegation control wizard again and create a custom task for the OU. Add Object Type control for computer objects + create/delete objects in this folder. Under permissions set Read/write account restrictions, reset password, validate write to DNS host name, and validate write to service principal name.

                      Should fix your access denied issue.

                      Comment


                      • #12
                        Re: Local Admin on all machines and add comp to domain

                        Originally posted by f21 View Post
                        Sounds like you delegated account operator control to this team? The Account Operator group does not grant Read permissions on the built-in OU, so you need to fix your permissions.
                        Any authenticated user has read access to almost all of the objects in domain partition (including the built-in Computers and Users containers)
                        Guy Teverovsky
                        http://blogs.technet.com/b/isrpfeplat/
                        "Smith & Wesson - the original point and click interface"

                        Comment

                        Working...
                        X