Making a Domain Group Local Admins Via Group Policy

Discussion in 'Active Directory' started by Paul Anderson, Feb 11, 2005.

  1. I want to create a Support Engineer group for our support guys, so they can
    have local but not domain admin rights.

    I would like to do it through group policy by applying it to an OU so that
    they have local admin rights to any machines under that OU. How do I do
    this ?

    I've been adding them to the local Administrators group on each machine by
    script, but this is cumbersome and needs to be done every time a new machine
    is added to the network. Having this done automatically through Group
    Policy would be much tidier.


    Desktop O/S: Windows XP SP2
    Server O/S: Windows Server 2003
    Active Directory mode: 2003 Native
    Paul Anderson, Feb 11, 2005
    1. Advertisements

  2. See tip 5319 in the 'Tips & Tricks' at

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    Jerold Schulman, Feb 11, 2005
    1. Advertisements

  3. Paul,

    This question is asked at least 10 times a week! ;-)

    Please search this NG for 'Restricted Groups'. That is your answer.

    And, most people would suggest that normal user account objects are *NOT*
    added to the computers local Administrator group. I can sing a song or two
    about users deleting their FONTS folder to make room for their music files
    or to make sure that only the fonts that they need for a project are
    available! I know that this is for a Support Group. Just keep in mind that
    for normal users this is a bad idea.

    Now, when creating the GPO make sure that you follow the following MSKB
    Article: It is important that you
    do this from a workstation that has the ADMINPAK installed. Even though
    this article is for WIN2000 and you have WIN2003 the same concepts apply.
    Do it from a workstation or have fun trying to figure things out!

    Additionally, be aware that the default behavior is to flush the contents of
    the affected computer account objects local Administrators group and replace
    it with the group that you specify. You might want to add two groups when
    creating the GPO: the Support group that you have created and the Domain
    Admins group. There is a fix for this that modifies the default behavior.
    Please look at the following MSKB Article: I might stay with the default,
    though. This way you know who is a member.

    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP
    Cary Shultz [A.D. MVP], Feb 11, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.