How to add a local group to the local administrators group with GP

Discussion in 'Active Directory' started by Yann, Oct 20, 2008.

  1. Yann

    Yann Guest

    Hello,

    I read a lot on it and it doesn't seem to be possible to do it.
    Anyway, here's my problem.

    My goal is to be able using the Restricted Groups by allowing my Domain
    group to have domain admins rights on all the servers in the OU, and to keep
    all the local administrators accounts specific for each server. I do not want
    to create 5 OUs to implement this.

    A OU with 20 servers in a domain.
    A GPO linked to this OU.

    On each server, I have a few administrator accounts that can be local or
    domain. For example, developers have domain accounts and need to be able to
    reboot the server, install applications, ... I also have local account used
    by services.
    I want to create a LOCAL group (for ex: myLocalAdmins) on each server and
    put all the local user accounts that need administrator privileges as members
    of this new LOCAL group. Then, I want to add this LOCAL group created
    (myLocalAdmins) member of the LOCAL Administrators group (the built-in one).
    This is impossible, the other local groups are not even listable when trying
    to add a new member to the LOCAL Administrators built-in group.

    By trying with the Group Policy > Restricted Groups, I can force the adding
    of myLocalAdmins as member of the Administrators built-in group. But users
    inside the myLocalAdmins group won't get the administrators privileges.
    Moreover I get "Aliases cannot be members of other groups." in
    %windir%\Security\Logs\Winlogon.log as described in
    http://support.microsoft.com/kb/927061/en-us.

    Thanks for any suggestion.
     
    Yann, Oct 20, 2008
    #1
    1. Advertisements

  2. Yann

    Marcin Guest

    Yann,
    as you have discovered, your approach is simply not feasible. My
    recommendation would be to stay away from local user accounts (they are
    difficult to control/monitor centrally and leave room for potential abuse)
    and stick to domain-based users and groups (limit use of local groups to the
    built-in ones, including local Administrators, where appropriate). Use the
    Member of portion of the the Restricted Groups policy to assign designated
    domain-based groups to local Adminstrators and apply security filtering to
    limit their scope to appropriate servers.

    hth
    Marcin
     
    Marcin, Oct 20, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.