Announcement

Collapse
No announcement yet.

local computer accounts configured through Group Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • local computer accounts configured through Group Policy

    Hi everyone,

    I'm setting up group policies on my DC (windows 2003 enterprise sp2).

    How can I setup the type of account each user in my AD logs in as on a local computer?

    For example, I have user1, user2, and user3. How can I use group policy to make user 1 an administrator on all computers they log into, user2 a power user, and user3 a guest account?

    I've been running into the problem of not being able to "logon interactively" on my XP sp2 clients. I have to manually go into the xp client machine to add in the user or group of user under the different account types (admin, power user, etc) before I am able to login. I have already tried changing the default domain policy (computer settings) to allow logon locally to the "domain users" group, but still this doesn't help.

    Any tips or articles would be greatly appreciated!

    Thank you!

  • #2
    Re: local computer accounts configured through Group Policy

    Use Restricted Groups http://www.windowsecurity.com/articl...ed-Groups.html

    Create a new GPO for this setting - Microsoft recommend that you do not modify the default policies. And as I've had to repair the damage when someone else did, I back that up fully.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: local computer accounts configured through Group Policy

      When using the Restricted Groups Policy setting, members how are already included in the group will be removed, so I suggest you'll be carful with that.
      If you want to maintain existing members and just add the users you want, I suggest you use the following script as a startup script:

      dim oGroup

      const sLocalGroupName = "Administrators"
      const sUser = "UserX"
      const sDomain = "YOUR.DOMAIN.COM"

      set oGroup = getObject("WinNT://localhost/" & sLocalGroupName)
      oGroup.add("WinNT://" & sDomain & "/" & sUser)

      Comment


      • #4
        Re: local computer accounts configured through Group Policy

        Originally posted by Smart-X View Post
        When using the Restricted Groups Policy setting, members how are already included in the group will be removed, so I suggest you'll be carful with that.
        If you want to maintain existing members and just add the users you want, I suggest you use the following script as a startup script:

        dim oGroup

        const sLocalGroupName = "Administrators"
        const sUser = "UserX"
        const sDomain = "YOUR.DOMAIN.COM"

        set oGroup = getObject("WinNT://localhost/" & sLocalGroupName)
        oGroup.add("WinNT://" & sDomain & "/" & sUser)
        You ought to be careful that your advice is 100% accurate. If you use the "Restricted Groups" policy to list the members of a group you are correct.

        However if you use the restricted groups policy on the target audience with the "Member Of" setting, you can specify the opposite way round.

        e.g. if you want "Dave" to be a member of "Administrators", add "Dave" to the group "AdminsByPolicy". Specify "AdminsByPolicy" as a restricted group, and put "Administrators" on the "Member Of" tab of the policy.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: local computer accounts configured through Group Policy

          Hi dear,

          if you will use restricted group policy then the users you add in administrator will be in the administrators group of domain controller .so its not better to use restricted group according to me.

          the command that will be usefull for you is
          you need to add aparticular user/group in local administrator ,right
          use the following script as a start-up script .copy this in a bat file
          let us you wanna add domain user in local administrators account of all computer

          net localgroup Administrators test.com\domainusers /ADD


          please let me know if its nt wrking
          Thanx
          Vijay
          ________
          Half-baked
          Last edited by vsharma; 10th April 2011, 06:32.

          Comment


          • #6
            Re: local computer accounts configured through Group Policy

            Originally posted by vsharma View Post
            if you will use restricted group policy then the users you add in administrator will be in the administrators group of domain controller
            Naturally, you would not apply the restricted groups policy to the domain controller - that would be a very bad idea. As with all group policy settings, you only link the GPO to the OU(s) that you want it to apply to.

            Restricted Groups will do exactly what the OP wants, and if set up properly it will have no impact on the domain controllers. If used correctly, it can actually improve the security of your network, since administrative permissions on workstations will now be centrally controlled.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment

            Working...
            X