Local admin through group policy and keep admin on local machine?

Discussion in 'Active Directory' started by Kevin Rhodes, Mar 21, 2007.

  1. Kevin Rhodes

    Kevin Rhodes Guest

    I have created a local admin group policy giving a group admin rights over an
    OU (this is to be for our help desk). Some of our software programs require
    users to have local admin access as well (so I give it to them through their
    domain account on the local PC-I don't want to add them to help desk group
    and give them local admin on all the OU PCs). The problem is that the
    following day the admin account on the local PC is automatically removed from
    the list of administrators. I have this set up in a beta environment so we
    don't have to go to each machine, each day, to add them back in. Any ideas on
    how to block this? I have tried to turn "no override" on in the GP options,
    but this too disappears the following day. Is there anyway I can speed up
    whatever cycle time it is on so that I don't have to wait a day to see if it
    works? (I always do a forced update after I make changes). Thanks in advance.
     
    Kevin Rhodes, Mar 21, 2007
    #1
    1. Advertisements

  2. Kevin Rhodes

    Al Mulnick Guest

    A change in approach is probably warranted. Consider doing this with
    startup scripts vs. restricted groups and use the GPO to enforce the startup
    scripts. The startup script would just add the domain group to the local
    administrators vs. making it the only group.

    There are several examples of how to do this on the web. Search for
    restricted groups local administrators and you should find what you're
    after.

    Al
     
    Al Mulnick, Mar 21, 2007
    #2
    1. Advertisements

  3. The way I am hearing this is that you need a custom support
    group to always be in the machine local Administrators group
    on all of a set of machines that you have in an OU, and then,
    on some of those machines you also need to have the domain
    account of a user of the machine, and this last part differs per
    machine.
    How I would go about this is via Restricted Group definintion
    in GPO for the custom support group, and then adding the per
    machine domain account via script (just run at cmd prompt) or
    via manual addition if number of machines needing this is small.
    To add the custom support group, let us say it is named Support,
    a domain group, use a GPO that is linked to the OU and in it
    define as a Restricted Group "Support" (yes, not Administrators
    but Support, the group to be added to each local Administrators
    group). In the Restricted Group definition leave the Members
    list empty, and in the Member Of list add Administrators.
    If you want to control the domain accounts that are members in
    Support, do this in a GPO that has the DCs OU within its scope.
    The GPO linked to the OU will make sure that Support is in
    Administrators and it will not cause anything that is already
    in the machine local Administrators group to be removed.
    If you then add the per machine domain account as/where
    needed it will stay a member of Administrators. If that domain
    user removes Support from their machine's Administrators group
    the Support group will be restored as a member as soon as the
    GPO is reapplied.

    As far as you wanting to immediately refresh policy, it sounds
    like you have tried gpudate on the client but not find it to work.
    If that is the case it may be that you did this before the changed
    GPO had replicated to the DC preferred by that client. Make
    sure that you use the /force switch.

    Roger
     
    Roger Abell [MVP], Mar 22, 2007
    #3
  4. You could use the restricted user group gpo setting


    computer configuration \ windows settings \ restricted groups

    group = your group to be made local admins
    member of = BUILTIN\Administrators



    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    http://www.microsoft.com/technet/pr...Ref/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

    http://www.microsoft.com/resources/...all/proddocs/en-us/sag_scerestrictgroups.mspx


    There is absolutely nothing that has to be done on the client side.

    Create the gpo in the ou where the Computers reside (NOT the users), go to
    computer configuration/windows settings/security settings/restricted groups,
    right click on restricted groups and select new group (For the local
    computers, this group name should be - administrators) and key in the group
    you want auto populated. Select add on the Members of this group and then
    add the members you want populated.
     
    Paul Bergson [MVP-DS], Mar 22, 2007
    #4
  5. Kevin Rhodes

    Al Mulnick Guest

    BUILTIN\Administrators - ?
    I don't see that as a good idea at first glance. Have you used that setting
    in the past?
     
    Al Mulnick, Mar 22, 2007
    #5

  6. Works like a champ - post W2k3 SP4, XP SP2, W2k3 SP1 clients of the GPO.
    We use it to provision for our client system support unit's subsets of
    people.

    In case of poster, to do all from client side sounds like they would have to
    have a number of GPOs that each target one machine (for the per machine
    unique domain account that ought be member in addition to the uniform group)

    Roger
     
    Roger Abell [MVP], Mar 22, 2007
    #6
  7. If you want to make your help desk local admins, I have found this works
    best.
     
    Paul Bergson [MVP-DS], Mar 22, 2007
    #7
  8. Kevin Rhodes

    Kevin Rhodes Guest

    Thanks for your help Roger!

    I think that you understand our situation correctly. When it comes to
    implementaion, I am a little confused about how to add members to the Support
    group and limit them only to this OU.

    The user group is: "Support" and it is a member of administrators (built-in)
    My current GPO for the OU is: Resticted group, "Support"
    The member of this GPO is the domain's group: "Support"

    If I add user accounts to the domain Support group, they don't have local
    admin. You mentioned: "If you want to control the domain accounts that are
    members in
    Support, do this in a GPO that has the DCs OU within its scope." Can you
    walk me through that part?

    BTW-This beta server does not have SP1 or SP2 installed at present.

    Thanks again,
    Kevin
     
    Kevin Rhodes, Mar 22, 2007
    #8
  9. Kevin Rhodes

    Kevin Rhodes Guest

    Thanks Paul!

    I am pretty sure that this overrides my local admin setting (removing the
    domain user I have given admin rights to on that particular local machine).
    The idea is to give a support group admin access over the OU machines, and
    certain domain users full admin over their machine as well.
     
    Kevin Rhodes, Mar 22, 2007
    #9
  10. Kevin Rhodes

    Al Mulnick Guest

    No, I was curious so I tested same. The trick is to use the memberof
    setting only (that was previously mentioned somewhere I believe). Leave the
    other setting blank.
    The result is that your group will be added to the local administrators
    group on everything that the GPO applies to.

    Thanks Paul and the others that replied. Been meaning to check out the
    additional settings that restricted groups adds. I appreciate giving me the
    reason and the pointers. :)
     
    Al Mulnick, Mar 22, 2007
    #10
  11. Kevin Rhodes

    Al Mulnick Guest

    When you say "Beta server" What does that mean to the rest of us exactly?
     
    Al Mulnick, Mar 22, 2007
    #11
  12. The GPO linked to the OU that contains the set of computer objects
    has restricted group def for Support, stating it should be member-of
    Administrators (on the computers in that OU)
    This GPO states nothing about the members in the group Support,
    only that the group Support must be in those computers' Administrators
    groups.
    Say that you do want to control members of Support.
    One might do this with a restricted group definition for Support in
    a GPO linked to the DC OU. In this restricted group definition one
    would use the "members" list and not use the "member of" list, i.e.
    one does opposite of on the OU of managed computers.

    If you have multiple different sets of client systems with multiple
    different sets of domain accounts for each, then you just end up
    with multiple OUs (likely subOUs), multiple GPOs, multiple
    SupportA, SupportB, etc. and you might end up with the uber
    Support group being a member of each SupportA, SupportB, etc.
    I have no idea whether this usage of restricted groups works on any
    beta version of software - but for the OU of computers, it is the version
    of the computers in the OU that is important.
     
    Roger Abell [MVP], Mar 23, 2007
    #12

  13. That was the behavior prior the the OS version I mentioned.
     
    Roger Abell [MVP], Mar 23, 2007
    #13
  14. Kevin Rhodes

    Kevin Rhodes Guest

    Sorry, I should have used the word "test". This is the server in my test
    environment. It is using 2003 SP2. All machines in the OU are XP with SP2.
     
    Kevin Rhodes, Mar 23, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.