Local Administrators Group
Josh Messerschmitt
OU's in a single domain, with a technician under/at each OU (site) that is
delegated rights to perform their daily duties via a group for each OU
(site). What I'd like is for all of the computers and non-domain
controllers at/under each site to have this group be in the local
administrators group to have admin access on each box. I imagine that this
has to be done manually or by using A2A for the specific group on each &
every workstation correct? The gotcha is that I don't want these techs to
be able to login to ANY domain controllers, therefore I didn't add them to
the Administrators group in AD.
I know the domain admin group is added to the local admin group by default,
but we definitely don't want these techs to be DA's (some currently are
until this issue is resolved). The domain is in mixed mode and the groups
used for delegation are Global groups, so they should be able to be seen by
all boxes out there.
Can anyone shed some light on the preferred method of doing this?
Thanks
--
Josh Messerschmitt
Norbert Fehlauer [MVP]
Hi Josh,
> Can anyone shed some light on the preferred method of doing this?
Take a look at restricted groups in group policy.
http://support.microsoft.com/kb/320065/en-us
HTH
Norbert
--
Dilbert's words of wisdom #19: Am I getting smart with you? How would
you know?
Josh Messerschmitt
to put all of the groups I want into Restricted groups? For example: I
only put this new group in there and that results in overwriting all
existing groups with just this new group? So, I should put domain admins,
administrator, + this new group - Right?
--
Josh Messerschmitt
"Norbert Fehlauer [MVP]" <n.feh...@gmx.net> wrote in message
news:u3V$WocEGH...@TK2MSFTNGP09.phx.gbl...
Norbert Fehlauer [MVP]
> have to put all of the groups I want into Restricted groups? For
> example: I only put this new group in there and that results in
> overwriting all existing groups with just this new group? So, I
> should put domain admins, administrator, + this new group - Right?
You can use "replace" or "add" mode in restricted groups. If you use
replacement, than you have to put your local administrator back in with the
gpo. ;)
Bye
Norbert
Josh Messerschmitt
--
Josh Messerschmitt
"Norbert Fehlauer [MVP]" <n.feh...@gmx.net> wrote in message
news:%23Bl0%23ZfEG...@tk2msftngp13.phx.gbl...
Josh Messerschmitt
How do you toggle between replace and add modes?
I set this up and it replaced by default and didn't see an option to change
it.
--
Josh Messerschmitt
Norbert Fehlauer [MVP]
Hi,
> How do you toggle between replace and add modes?
Its not a option to click. You have to reverse your groups. Just enter a
domain group (Domain Administrators)as group and choose that this group is
member of e.g. Administrators.
> I set this up and it replaced by default and didn't see an option to
> change it.
See above. You just have to reverse your process ;)
HTH
Norbert
--
Dilbert's words of wisdom #18: Never argue with an idiot. They drag you
down to their level then beat you with experience.
Josh Messerschmitt
It won't let me do it that way. If I add a group to the restricted groups
(say, Domain Admins) and then it won't let me add any groups from the local
machine for 'members'. It also won't let me select anything from the local
machine in the 'member of' section.
--
Josh Messerschmitt
Norbert Fehlauer [MVP]
>> See above. You just have to reverse your process ;)
Take a look here (German screenshot but should be sufficent)
HTH
Norbert
--
Dilbert's words of wisdom #32: If it wasn't for the last minute,
nothing would get done.
Josh Messerschmitt
this & it worked perfectly - I was trying to browse out to find the group.
This makes much more sense as my other method was probably tying the group
to the specific box.
Thanks for all of your help!
--
Josh Messerschmitt
Norbert Fehlauer [MVP]
Hi,
> the group. This makes much more sense as my other method was probably
> tying the group to the specific box.
>
> Thanks for all of your help!
So I guess it works now. ;)
Bye
Norbert
--
Josh Messerschmitt
--
Josh Messerschmitt