Add Domain Admins to Local admin group

Discussion in 'Windows Server' started by JohnB, Oct 2, 2009.

  1. JohnB

    JohnB Guest

    Is there a way, with a GPO, that I can add the Domain Admins group to the
    Local Administrator's group on every PC?
     
    JohnB, Oct 2, 2009
    #1
    1. Advertisements


  2. Yes, there is, with Restricted Groups or Group Policy Preferences. Read more
    below.

    ==================================================================
    ==================================================================
    Restricted Groups

    I usually do this from a non-DC with the GPMC installed because you need
    access to local groups on a non-DC, however manually typing in
    "Administrators" or "Users" should work if you do it from a DC.

    Going on memory... forgive me if I missed a step...

    In AD, create an OU and call it Restricted Groups (or whatever you want to
    call it)
    In AD, create a group and call it Local Power Users Group
    Create another group and call it Local Admin Users Group
    Logon as domain admin on an XP machine
    Install the GPMC on an XP machine
    Open the GPMC and navigate to the OU you created above
    Create and link a new GPO to the OU
    Right-click on it and choose Edit
    Navigate to the Computer section, and Restricted Groups
    Choose new group, browse to the domains' Local Power Users Group and add it
    to the local XP machine's groups, and choose

    Power Users
    Choose new group, browse to the domain's Local Admin Users Group and add it
    to the local XP machine's groups and choose

    Administrators
    Move the computer to the OU
    Add the user to the Local Power Users Group in AD that you created above
    On the machine where the user is logged on, have him logoff and logon
    You may have to have him do it twice
    In the XP's computer Management console, look at the Local Power Users and
    Administrators Groups and see if the Domain\Local Power Users Group is added
    to the machine's local Power Users group and the Local Admin Users Group is
    added to the machine';s local Administrators group. If so, they will show up
    as grayed out, meaning the policy is working. If you added the user to the
    domain's Local Power Users Group, then the user should now be able to
    perform actions of a Power User.

    ------
    Related Links:

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13

    ------
    You can also use Group Policy Preferences:

    You can take advantage of the Local Users and Groups settings of Group
    Policy Preferences, which gives you an option to add the current user to an
    arbitrary local group (including local Administrators). For more info, refer
    to http://technet.microsoft.com/en-us/library/cc731972.aspx
    ==================================================================
    ==================================================================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
    Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Oct 2, 2009
    #2
    1. Advertisements

  3. JohnB

    JohnB Guest

    Ok I'll give that a try.
    Thanks


     
    JohnB, Oct 2, 2009
    #3

  4. You are welcome!

    Ace
     
    Ace Fekay [MCT], Oct 3, 2009
    #4
  5. JohnB

    DaveMills Guest

    I am missing something here, by default the "domain admins" group is a member of
    the local "administrators" group.
     
    DaveMills, Oct 3, 2009
    #5

  6. Good point. That's default anyway with a joined machine. I overlooked that.
    Hmm...

    So I wonder why the domain admin group is no longer part of the joined
    machine's local admin group.

    Ace
     
    Ace Fekay [MCT], Oct 3, 2009
    #6
  7. Local admin can remove Domain Admins from Local administrators group.
     
    Dusko Savatovic, Oct 3, 2009
    #7

  8. Good point. Restricted groups will definitely eliminate this possibility.
    :)

    Ace
     
    Ace Fekay [MCT], Oct 4, 2009
    #8
  9. JohnB

    DaveMills Guest

    Also sounds like a disciplinary issue more than a technical one.
     
    DaveMills, Oct 4, 2009
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.