Zhrakkan Posted April 7, 2006 Share Posted April 7, 2006 I have a question for those that might have done it.I want to have a GP created on OU X.I want ALL computers to have 3 groups dropped into the local admin group of all PC's in that OU.Do I need to create a simple COMPUTER GP on the OU with the following:Edit Windows Settings\Security Settings\Local Policies\Restricted GroupsThen simply add inDOMAINNAME\AdminGroup1DOMAINNAME\AdminGroup2DOMAINNAME\AdminGroup3Will this OVERRIGHT anything there? Or just add these group in?I appreciate your assistance. Link to comment Share on other sites More sharing options...
InTheWayBoy Posted April 7, 2006 Share Posted April 7, 2006 Hmmm...that is a good question. I know that's how I did it when I needed local admins for a while, but I never checked to see if it over-writes anything. I believe it does though, so be careful. Link to comment Share on other sites More sharing options...
fizban2 Posted April 7, 2006 Share Posted April 7, 2006 restricted groups would not be the way to do it, a startup script or or a logon script would be the way to go,more in depth..adding those 3 groups to the restricted users will make ONLY those 3 groups able to be part of the admin group, if local users have to be (though they shouldn't be) then this won't work for you a logon script based like this might work for youSet g_oShell = CreateObject("Wscript.Shell")'Add AD groups to the local admin groupg_oShell.Run "net use \\domain /user:<domain account> & """" & "<account Password>"g_oShell.Run "net localgroup administrators <domain-group>@<domain> /add" Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 7, 2006 Share Posted April 7, 2006 Search is your friend. From this thread:The easiest way that won't require you going to every machine to add the user(s) to the Local Admin group would be to create a domain group for the users you want to have local admin privs on your workstations (but not domain admin privs in your domain). Now create a simple CMD file with the following command:NET LOCALGROUP Administrators /ADD "DOMAIN\New Group Name"Now set that CMD file as a startup script in GPO. This will ensure that the group is always there and will always be readded if it's ever removed. It's also a good idea to add the following line in case the individual you give local admin privs to decides to try to lock out the domain admins:NET LOCALGROUP Administrators /ADD "DOMAIN\Domain Admins"You could even have a different Group and Startup Script for each OU.I would recommend creating a seperate admin account for them to use for admin purposes though. For instance, their normal account would be something like firstname.lastname and this would be tied to their Exchange mailbox, etc. Then the seperate admin account would be something like firstname.lastname.admin and not have privs to anything except what is required to perform admin functions. Link to comment Share on other sites More sharing options...
fizban2 Posted April 7, 2006 Share Posted April 7, 2006 i like my VB scriptbut i agree, having a secondary account for admin rights if it is needed like a-<account> and there normal account would be nice. but to add a domain group to the local admin group wouldn't you need to provide credentials for the add? Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 8, 2006 Share Posted April 8, 2006 but to add a domain group to the local admin group wouldn't you need to provide credentials for the add?Not if you do it with GPO as a machine startup script. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now