| Author | Messages | |
jeromelcruz
Posts:120
 | | 02/18/2010 10:25 PM |
| Hatim,
It sounds as if you have requirements to assign perhaps one or several "End Users" with local Administrator rights on a PC. As well, you have a requirement to assign one or more sets of "PC Admins" also with local Administrator rights. Additionally, it also sounds as if you need to keep this environment maintained...in other words, if a local Admin adds additional names to the local Administrators' group, you need your setup to restore the memberships back to what you have specified on a regular cycle. Lastly, you would like to accomplish this using a minimum number of Group Policy objects and preferably without creating a lot of custom OUs.
Are these the correct requirements?
If so, then you should be able to use the Local Group Membership GPP setting in a single GPO (or in several GPOs) for the 50 devices that you noted. That's probably still small enough to manage manually. The GPP interface allows you to add more than one controlling setting. So, for 10 devices, you would have 10 entries. Each entry would point to a single device and add a single domain security group to the local Admins group. You could also add any other domain security groups (like for OU Admins/Domain Admins, etc.). Then you would activate the Target Item Filter to apply that entry only to that single device.
It would look something like this:
GPPE Entry 1
Name: Control Admins On "PC_Name_1" *
Local Group: Administrators Add: PC_Name_1_Admins security group (put one or more End User Accounts here)
Administrators Add: OU Admins security group
Administrators Add: Domain Admins security group
Target Item Filter Only apply to PC_Name_1
GPPE Entry 2
Name: Control Admins On "PC_Name_2" *
Local Group: Administrators Add: PC_Name_2_Admins security group (put one or more End User Accounts here)
Administrators Add: OU Admins security group
Administrators Add: Domain Admins security group
Target Item Filter Only apply to PC_Name_2
GPPE Entry 3
Name: Control Admins On "PC_Name_3" *
Local Group: Administrators Add: PC_Name_3_Admins security group (put one or more End User Accounts here)
Administrators Add: OU Admins security group
Administrators Add: Domain Admins security group
Target Item Filter Only apply to PC_Name_3
And so on...
* - You can rename each Entry, just create it, right+click on it, and put in something noting the device name it applies to.
If you're requirements are much larger, then you would probably still set up similar security groups, but switch to a scripted method. Or you could look into a 3rd party tool to manage everything.
Good Luck.
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Hatim Vali
Sent: Thursday, February 18, 2010 4:06 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Domain User to local admin rights group on single workstation
After reading the documents from help (F1), I have to create each per-user local group for specific individual domain user(s) in several OUs. In a long run, I don't want to create new more policy for adding individual domain user(s) in the future because I have several OU structures/trees (deep nested upto 4th level).
The best solution is to create a separate OU for special domain user(s) with local admin rights then I set up an unique domain group that will be added to local administrators group easily?
I am trying to avoid the clutter of too many policies for this in designated OUs.
I hope my explanation is clarifying.
On Wed, Feb 17, 2010 at 1:17 PM, Darragh O'Shaughnessy <xxxxxxxxxxxxxxxx<mailto xxxxxxxxxxxxxxxx>> wrote:
Darren is right. Use GPP. Just press f1 when in any GPP and the help will explain what that preference item does
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie<http://www.vhi.ie>
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Hatim Vali
Sent: 17 February 2010 18:15
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Domain User to local admin rights group on single workstation
Darren,
What if we want to keep clean slate on all managed-machines. Per-user local group management in GPP will flush if someone with admin rights sneaks to add another domain user(s) to local admin rights group without my knowledge.
Can you elaborate on per-user local group management? You have any good document. Let me say the scenario currently. I have about 50 individual domain users with local admin rights on specific machine that is tied with current user. I have to create new 50 GPP in GPO for 50 individual domain users. What is best way from your experience to make it work smoothly and efficiently instead of making many GPO. I am to open on it.
Thanks,
On Mon, Feb 15, 2010 at 8:49 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Hatim-
You might want to look at using GP Preferences to manage your local group memberships rather than Restricted Groups. Specifically the per-user local group management capabilities in GPP give you the ability to specify that you want to add the current logged on user to the local group. This might work for your situation.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Hatim Vali
Sent: Monday, February 15, 2010 12:05 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Domain User to local admin rights group on single workstation
Greetings,
I am not sure if it already had been discussed or archived in the past.
I am trying to figure out how to grant the individual domain user to local admin rights to a single workstation through GPO. Let me explain little background on my current AD. One policy for all machines is to keep flushing up any domain users from local administrators group on every machines. I am using Restricted Groups policy under Computer. It works great for domain groups under members in restricted groups.
However, I am not able to see where I can add the domain user to local administrators group on specific machine instead of all machines. For example, when I added the domain user to local admin group on a machine, it disappeared after rebooting or gpupdating because of restricted group with members.
>From my impression, we need to separate a special dedicated OU for some machines that allows individual user(s) to have admin rights. I don't want to create many GPO for specific machines under several OUs. What is your recommendation or Have you suggested the best solution?
Thanks,
--
Hatim A. Vali
Data Center Engineer
Information Technology Services
Gallaudet University
(202) 651-5300 (Office)
(202) 651-5477 (Fax)
=============================
//Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.//
--
Hatim A. Vali
Data Center Engineer
Information Technology Services
Gallaudet University
(202) 651-5300 (Office)
(202) 651-5477 (Fax)
=============================
//Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.//
--
Hatim A. Vali
Data Center Engineer
Information Technology Services
Gallaudet University
(202) 651-5300 (Office)
(202) 651-5477 (Fax)
=============================
//Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.//
| | | |
|
|