Further Questions on Adding group to local administrators group via GPO

Discussion in 'Windows Small Business Server' started by stjulian, Jun 1, 2007.

  1. stjulian

    stjulian Guest

    (Small Business Server 2003 R2).

    I would like to have a user set up to do software installations on only one
    set of computers. Not domain wide. He is not allowed to add users to the
    domain or, really, controll anything else domain-wide. This is just to
    occasionally add, say, Flash player or other small applications (responsibly
    of course) to a group of only 6 computers.

    In the article referenced below, steps 4-12 show that the application of the
    group policy needs to be done on each of the workstations.

    In my case, I have set up an OU for a remote office under "MyBusiness". I
    have recreated a global group in that OU ("RemoteOffice Admins") containing
    the users that will be allowed to log in to the machines as a local admin
    and moved the computers in that office into the OU.

    Is there a way that local admin rights can be assigned to a user (or in this
    case a group) from the organizational unit on the domain controller? In this
    way, computers need only be moved into the OU to allow the group (step 3 in
    Q320065) to be a local admin.

    If I try to follow steps 4-12 on the Domain Controller, the GPO seems to be
    adding my "RemoteOffice Admins" group to the local Administrators group of
    the Domain Controller.



    Also, I hope I am right as to assume that the domain-level policies are
    sitll applied to that OU, especially the one allowing the Domain Admins
    access to each of those computers to be accessed by Remote Desktop. I think
    the default setup for the SBS2003 R2 puts that policy at the domain level.
    Am I right?
     
    stjulian, Jun 1, 2007
    #1
    1. Advertisements

  2. This is easy - not going to bother reading the articles you linked/referred
    to, as I would do it this way -

    1. Create an AD security group called "RemoteOfficeAdmin" or whatever. I
    usually prefer to avoid spaces, but that's just me.
    2. Create a batch file with the following line - save it on your
    desktop/wherever:

    net localgroup administrators DOMAIN\remoteofficeadmin /add

    3. Create/link a new GPO at the Remote Office OU level, which you've already
    created
    4. In the GPO, go to Computer Configuration \ Windows Settings \ Scripts
    (startup/shutdown)
    5. Double-click Startup, click Add
    6. Copy the batch file you created to the clipboard, then paste it in the
    window here
    7. Exit/apply/ok/finish whatever

    All the computers in this OU should have the startup script applied when
    they restart, and all you have to do for the junior tech guy is create a new
    account for him to use for this purpose only (rather than his own) and add
    it to the AD group. Voila.

    I actually like to use the startup script stuff for other purposes, too - I
    create a "LocalAdmin" AD group, a LocalPowerUser group, etc - and add that
    group to all workstations in the domain (link it at the MyBusiness\Computers
    OU level). Then you can add/remove users from those groups as needed, for
    testing, or for when software needs to be installed & configured as the user
    account & not anyone else. You can also add the Remote Web Workplace Users
    group to the local workstation Remote Desktop users group too, if you want
    all users to be able to log on to all workstations via RD/RWW. Etc.
     
    Lanwench [MVP - Exchange], Jun 2, 2007
    #2
    1. Advertisements

  3. Reply on behalf of an associate...

    ---
    There are multiple ways of achieving the result required, and it depends if
    you want to install it for all users on certain machines or for all machines
    for certain users.

    Assuming it is the former, you need to create a policy and go to the
    Software section of the machine component and create the install package.
    One way is to then connect the policy to an OU and move all of the machines
    to that OU. However a better method is to use security filtering. You would
    untick the "Apply" setting in the security section for the Authenticated
    Users, create a new Group "Program A" and add it to the Security for the
    Policy and give it READ and APPLY authority. You can then connect this
    policy at the Domain level and only machines that are members of the group
    will receive the policy.

    The two methods are probably similar if you have only one program to
    install. However if you have 5 different programs the second method is much
    simpler since you only need 5 groups, compared to a potential 32 OU's to
    cover all combinations.

    If you wanted to install the program for certain Users, then you would
    create the install package in the User area of the policy and add Users to
    the group.

    I am not sure what is trying to be achieved to give users local admin
    rights. Firstly, you do not require Local Admin rights to get the
    installation of the Software to work.. Policies run under the authority of
    SYSTEM and so and so can do the installation. If you need to add the Domain
    Group to the Local Admin Group for some other reason, There is a section in
    Group Policy under Windows Settings/Security Settings that allows you to add
    Domain Groups (or users) into Local groups automatically, but this is not an
    "add" function, it is a "replace" function. i.e. The policy will replace all
    of the existing members of the group with the list defined in the Policy.

    Alan Cuthbertson


    Policy Management Software:-
    http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

    ADM Template Editor:-
    http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

    Policy Log Reporter(Free)
    http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
     
    Henry Craven {SBS-MVP}, Jun 3, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.