Somewhat related to my previous post, can anyone recommend how to add an AD
group/user to the local administrators group for all workstations (XP/2000)
in a domain? I imagine it would be via Group Policy but I welcome any
suggestions. Thank you.

Howdie!

Barkley Bees schrieb:
> Somewhat related to my previous post, can anyone recommend how to add an AD
> group/user to the local administrators group for all workstations (XP/2000)
> in a domain? I imagine it would be via Group Policy but I welcome any
> suggestions. Thank you.

Restricted Groups is what you're looking for:
http://www.frickelsoft.net/blog/?p=13

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html

You could use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articl...ed-Groups.html

http://www.microsoft.com/technet/pro...a15c18f6a.mspx

http://www.microsoft.com/resources/d...ictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.

Note: Be aware that the higher you place this setting within the domains
group policy the possibility exists it is applied to machines you may not
want it applied to. With this in mind you should try and avoid this setting
at the domain level, with the exception on the domain admins group. We have
some users who are local admins on machines and for some reason they feel
compelled to remove the domain admins from their local administrators group.
Setting this at the domain level manages these annoying users.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Barkley Bees" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Somewhat related to my previous post, can anyone recommend how to add an
> AD group/user to the local administrators group for all workstations
> (XP/2000) in a domain? I imagine it would be via Group Policy but I
> welcome any suggestions. Thank you.
>

Thanks for the informative pointers Paul. I have one more question on this
matter. I read on technet that the restricted group policy will overwrite
existing group permissions on computer with this GPO applied. So, I imagine
that in addition to the group we want to add, we should have the 'domain
admins' group included in the policy.

Also, in our case we allow users to have local admin rights on their own
machines (belive it or not) so how could we implement this without it
overwriting and removing them from their local Administrators group? I
imagine that if we need to do this the restricted groups policy may not be
the best route for us?


"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:Owd%(E-Mail Removed)...
> You could use the restricted user group gpo setting
>
>
> computer configuration \ windows settings \ restricted groups
>
> group = your group to be made local admins
> member of = BUILTIN\Administrators
>
>
>
> http://www.windowsecurity.com/articl...ed-Groups.html
>
> http://www.microsoft.com/technet/pro...a15c18f6a.mspx
>
> http://www.microsoft.com/resources/d...ictgroups.mspx
>
>
> There is absolutely nothing that has to be done on the client side.
>
> Create the gpo in the ou where the Computers reside (NOT the users), go to
> computer configuration/windows settings/security settings/restricted
> groups, right click on restricted groups and select new group (For the
> local computers, this group name should be - administrators) and key in
> the group you want auto populated. Select add on the Members of this
> group and then add the members you want populated.
>
> Note: Be aware that the higher you place this setting within the domains
> group policy the possibility exists it is applied to machines you may not
> want it applied to. With this in mind you should try and avoid this
> setting at the domain level, with the exception on the domain admins
> group. We have some users who are local admins on machines and for some
> reason they feel compelled to remove the domain admins from their local
> administrators group. Setting this at the domain level manages these
> annoying users.
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Barkley Bees" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Somewhat related to my previous post, can anyone recommend how to add an
>> AD group/user to the local administrators group for all workstations
>> (XP/2000) in a domain? I imagine it would be via Group Policy but I
>> welcome any suggestions. Thank you.
>>
>
>

The overwrite / replace all membership behavior is what
happens when one used the Member list after naming the
group whose members is to be controlled.
Here one names the group to be made a member and name
the group in which it should be a member in the MemberOf
list, and there is no total overwrite/replace.

Roger

"Barkley Bees" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the informative pointers Paul. I have one more question on this
> matter. I read on technet that the restricted group policy will overwrite
> existing group permissions on computer with this GPO applied. So, I
> imagine that in addition to the group we want to add, we should have the
> 'domain admins' group included in the policy.
>
> Also, in our case we allow users to have local admin rights on their own
> machines (belive it or not) so how could we implement this without it
> overwriting and removing them from their local Administrators group? I
> imagine that if we need to do this the restricted groups policy may not be
> the best route for us?
>
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:Owd%(E-Mail Removed)...
>> You could use the restricted user group gpo setting
>>
>>
>> computer configuration \ windows settings \ restricted groups
>>
>> group = your group to be made local admins
>> member of = BUILTIN\Administrators
>>
>>
>>
>> http://www.windowsecurity.com/articl...ed-Groups.html
>>
>> http://www.microsoft.com/technet/pro...a15c18f6a.mspx
>>
>> http://www.microsoft.com/resources/d...ictgroups.mspx
>>
>>
>> There is absolutely nothing that has to be done on the client side.
>>
>> Create the gpo in the ou where the Computers reside (NOT the users), go
>> to computer configuration/windows settings/security settings/restricted
>> groups, right click on restricted groups and select new group (For the
>> local computers, this group name should be - administrators) and key in
>> the group you want auto populated. Select add on the Members of this
>> group and then add the members you want populated.
>>
>> Note: Be aware that the higher you place this setting within the domains
>> group policy the possibility exists it is applied to machines you may not
>> want it applied to. With this in mind you should try and avoid this
>> setting at the domain level, with the exception on the domain admins
>> group. We have some users who are local admins on machines and for some
>> reason they feel compelled to remove the domain admins from their local
>> administrators group. Setting this at the domain level manages these
>> annoying users.
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Barkley Bees" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Somewhat related to my previous post, can anyone recommend how to add an
>>> AD group/user to the local administrators group for all workstations
>>> (XP/2000) in a domain? I imagine it would be via Group Policy but I
>>> welcome any suggestions. Thank you.
>>>
>>
>>
>
>