The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: RE: [gptalk] Domain User to local admin rights group on single workstation

Prev Next

You are not authorized to post a reply.

Author

Messages

DarraghOShaughnessy User is Offline

Posts:161

02/17/2010 6:20 PM
Darren is right. Use GPP. Just press f1 when in any GPP and the help will explain what that preference item does Regards, Darragh O'Shaughnessy IT Services Department E-Mail: xxxxxxxxxxxxxxxx <mailto:xxxxxxxxxxxxxxxx> Ext: 2562 Direct Dial In: 01-7994028 Web Site: www.vhi.ie Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html <http://www.ecofont.eu/ecofont_en.html> This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses. From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Hatim Vali Sent: 17 February 2010 18:15 To: xxxxxxxxxxxxxxxx Subject: Re: [gptalk] Domain User to local admin rights group on single workstation Darren, What if we want to keep clean slate on all managed-machines. Per-user local group management in GPP will flush if someone with admin rights sneaks to add another domain user(s) to local admin rights group without my knowledge. Can you elaborate on per-user local group management? You have any good document. Let me say the scenario currently. I have about 50 individual domain users with local admin rights on specific machine that is tied with current user. I have to create new 50 GPP in GPO for 50 individual domain users. What is best way from your experience to make it work smoothly and efficiently instead of making many GPO. I am to open on it. Thanks, On Mon, Feb 15, 2010 at 8:49 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx> wrote: Hatim- You might want to look at using GP Preferences to manage your local group memberships rather than Restricted Groups. Specifically the per-user local group management capabilities in GPP give you the ability to specify that you want to add the current logged on user to the local group. This might work for your situation. Darren From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Hatim Vali Sent: Monday, February 15, 2010 12:05 PM To: xxxxxxxxxxxxxxxx Subject: [gptalk] Domain User to local admin rights group on single workstation Greetings, I am not sure if it already had been discussed or archived in the past. I am trying to figure out how to grant the individual domain user to local admin rights to a single workstation through GPO. Let me explain little background on my current AD. One policy for all machines is to keep flushing up any domain users from local administrators group on every machines. I am using Restricted Groups policy under Computer. It works great for domain groups under members in restricted groups. However, I am not able to see where I can add the domain user to local administrators group on specific machine instead of all machines. For example, when I added the domain user to local admin group on a machine, it disappeared after rebooting or gpupdating because of restricted group with members. >From my impression, we need to separate a special dedicated OU for some machines that allows individual user(s) to have admin rights. I don't want to create many GPO for specific machines under several OUs. What is your recommendation or Have you suggested the best solution? Thanks, -- Hatim A. Vali Data Center Engineer Information Technology Services Gallaudet University (202) 651-5300 (Office) (202) 651-5477 (Fax) ============================= //Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.// -- Hatim A. Vali Data Center Engineer Information Technology Services Gallaudet University (202) 651-5300 (Office) (202) 651-5477 (Fax) ============================= //Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.//

You are not authorized to post a reply.

Forums >GPTalk >GPTalk Mailing List > RE: [gptalk] Domain User to local admin rights group on single workstation

ActiveForums 3.7

Ads

The GPTalk Mailing List

List Posts

Members

Ads