Announcement

Collapse
No announcement yet.

Local system admin rights via group policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Local system admin rights via group policy

    Hi,
    Please tell me how to add a group as a member of local Administrator Group in Workstation which is a member of a domain. That group should be other than domain admin group. since domain admin group will be in the Administrators group by default.
    Please tell me the solution for the same

    Thanks
    PREMKUMAR
    EMAIL REMOVED BY MOD TO PREVENT SPAM
    Last edited by Rems; 3rd June 2009, 21:08.

  • #2
    Re: Local system admin rights via group policy

    Restricted Groups
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Local system admin rights via group policy

      create a restricted group under your policy.
      call it 'administrators' (or whatever the admin group is)
      add the relevant groups.. it might be "domain users' or 'supervisors" or "helpdesk staff" or whatever.
      ensure that you also have the local 'Administrator' account listed in there.
      apply the policy.
      done.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Local system admin rights via group policy

        a quick tip, its very easy to inadvertently remove any other account that had local administrator rights. (ignore if this is also your intention )

        The way to avoid this is when you open restricted groups add the group that you want to have admin rights as a "Member of" the administrator group, that way you will not remove any of the existing memberships.
        it should look like this in GPO

        Group Name = domain\required_group, Members = Blank ,Member Of = Administrator



        If you wanted to restrict the administrator group membership to only specified accounts it would look like this

        Group Name = BUILTIN\Administrators , Members = Administrator;domain\required_group ,Member Of = Blank



        also remember to apply this gpo only to your workstations not your servers
        Last edited by hazey; 10th June 2009, 00:34.

        Comment

        Working...
        X