Control local group membership on domain computers?

[jmusson]

Hi,

I'm looking for a way to force computers on our domain to keep domain admins in the local administrators group. Unfortunately, restricted groups doesn't quite do what I need, because our company has a policy of making each user the local administrator on their own laptop (I know, I know, but we've found it solves more problems than it creates for our very mobile user base, especially when they work at client sites). Unfortunately, some of our users like to remove domain admins from the local Administrators group.

Does anyone know of a way to require domain admins be a member of the local Administrators group and still allow individual users to be local admins on their own machines as well?

Thanks,

John

[jondercik]

you could write a logon script that will add domain admins back to the local admin group on logon. This would work because the local user already has admin rights so the group addition would work.

Jim

[nmX.Memnoch]

From this thread:

The easiest way that won't require you going to every machine to add the user(s) to the Local Admin group would be to create a domain group for the users you want to have local admin privs on your workstations (but not domain admin privs in your domain). Now create a simple CMD file with the following command:

NET LOCALGROUP Administrators /ADD "DOMAIN\New Group Name"

Now set that CMD file as a startup script in GPO. This will ensure that the group is always there and will always be readded if it's ever removed. It's also a good idea to add the following line in case the individual you give local admin privs to decides to try to lock out the domain admins:

NET LOCALGROUP Administrators /ADD "DOMAIN\Domain Admins"

You could even have a different Group and Startup Script for each OU.

I would recommend creating a seperate admin account for them to use for admin purposes though. For instance, their normal account would be something like firstname.lastname and this would be tied to their Exchange mailbox, etc. Then the seperate admin account would be something like firstname.lastname.admin and not have privs to anything except what is required to perform admin functions.

[jmusson]

Thanks for the suggestions. The idea of a login script will certainly be useful, but is there any way to have the policy be based on the computer, instead of the user account? Ideally, I'd like to be able to force Domain Admins back into the local admin group even if the user logs on with the local admin account, off the domain. I haven't seen anything along those lines in my research, so we may have to limit ourselves to the domain-based login script.

Thanks,

John

[nmX.Memnoch]

Now set that CMD file as a startup script in GPO.

Make it a machine startup script instead of a user logon script within GPO. That way anytime the machine is rebooted or GPO refreshes the group will be readded if it's been removed. This is done in the Group Policy Editor at Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).

Edited March 2, 2006 by nmX.Memnoch

[fizban2]

only problem with this suggestion, if this is a very mobile client base, GPO isn't going to be applied very often to them unless you have it kicked off when they VPN into the network. what are you using for a VPN solution for your clients?

[nmX.Memnoch]

A regular logon script won't work in that case either because if they aren't connected to the domain then Windows won't be able to "find" the Domain Admins group.

Setting is as a GPO ensures that as soon as the laptop is brought back onto the corporate network the Domain Admins group will immediately be added back.