Location: Mail List

Ads

Skyscraper

The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy.  The Archives for this list can be found on this page.

 

List Posts

Forums >GPTalk >GPTalk Mailing List
Subject: RE: [gptalk] Making numerous AD users local admins on different machines
Prev Next
You are not authorized to post a reply.

AuthorMessages
Wornell1User is Offline

Posts:21

12/16/2009 1:53 PM  
We did this by creating a Domain Local group named "Local Administrators" group. We then put the user and group objects we want to show up in the local machine Administrators group into this new group. We created a group policy that uses Restricted Groups to add the "Local Administrators" group to the Administrators group on all our workstations. By using a WMI filter that looks at the OS caption and returns true if it does not find the word "Server" in the caption it only applies to non-server boxes. We use a different policy and group to do the same thing for servers.

Works a charm and by using the group we can move users objects in and out as we need to without having to change the policy.

Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of John Everyman
Sent: Wednesday, November 04, 2009 8:28 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Making numerous AD users local admins on different machines

Another potential way is to separate their user accounts into standard user and adminIDs. Add these adminID to an AD group say <your org.> admin Ids and then add that group via GPO to the admin group on all PCs. This has now given all Ids in this group admin access to all PCs the GPO applies to. To then limit what machines these IDs can logon to use the AD property 'logon to' to limit the machines the adminID can logon to. So the user Joe Blow with the admin ID joeBlowAdmin can be limited to only logging on to the PCs listed in the 'logon to' property. If he tries to logon to a machine not in that group (with his adminID) he'll get an access denied message.

From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Craig Meyer
Sent: Wednesday, 4 November 2009 10:02 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Making numerous AD users local admins on different machines

Hi Guys

We have a need where different users need to be loacl admins on different machines. For example if the user group i'm talking about is 20 users and the pc's is 20, each and every one of these users must be made local admins on these pc's. Can this be done via GPO?

Thanks in advance guys/girls
Craig


Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.

This e-mail has come to you from Watson Wyatt & Company.

You are not authorized to post a reply.
Forums >GPTalk >GPTalk Mailing List > RE: [gptalk] Making numerous AD users local admins on different machines



ActiveForums 3.7

Members

MembershipMembership:
Latest New UserLatest:larrys
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:1340
People OnlinePeople Online:
VisitorsVisitors:0
MembersMembers:0
TotalTotal:0
Online NowOnline Now:

Ads

Banner Inv
Copyright 2009 by GPOGUY.COM
Terms Of Use