Hi All,
I have created OU in active directory and added many number
of computers to that OU. I want some body to manage that
OU. I mean that person should be able to carry out all the
admin tasks if he locally logs on to those computers,
coming under that OU only. He should not have admin
previliges on other computers of different OU.

One way to do this is by go on adding that user to local
admins group of all workstations. This is lenthy process. I
want to achieve this by simply defining administrator for
that OU?.

Is it possible to do that. If possible, how?. Can you
eloborate please?. Some body told in my earlier related
query that it is possible by restricted groups?. They have
not eloborated? I don't know what are these restricted
groups? what is the purpose of them?..

Thanks in advance.
Regards,
Srinivas Acharya

Srinivas Acharya wrote:
> Is it possible to do that. If possible, how?. Can you
> eloborate please?. Some body told in my earlier related
> query that it is possible by restricted groups?. They have
> not eloborated? I don't know what are these restricted
> groups? what is the purpose of them?..

Yes, restricted groups are proper solution for this problem.
Restricted groups are defined in the GPO (for example GPO assigned on
the OU level) to force content of specified security group - for example
local administrators on client machine. IF You set this settings in
GPO on the OU level and then define in this GPO that in the builtin
administrators group only UsersA,UserB and DOmain Admins can be a member
of local administrators group this setting will be forced on all
machines affected by this GPO.
If somebody change this group membership on the next time policy will
applied the membership of local administrators group (for example) will
be set as defined in GPO.

--
Tomasz Onyszko [MVP]
(E-Mail Removed)
http://www.w2k.pl

Hi,
"
IF You set this settings in
>GPO on the OU level and then define in this GPO that in
the builtin administrators group only UsersA,UserB and
DOmain Admins can be a member of local administrators group
this setting will be forced on all machines affected by
this GPO".

This is fine. But I don't how to configure this.Please help me.

Regards,
Srinivas Acharya
>-----Original Message-----
>Srinivas Acharya wrote:
>> Is it possible to do that. If possible, how?. Can you
>> eloborate please?. Some body told in my earlier related
>> query that it is possible by restricted groups?. They have
>> not eloborated? I don't know what are these restricted
>> groups? what is the purpose of them?..
>
>Yes, restricted groups are proper solution for this problem.
>Restricted groups are defined in the GPO (for example GPO
assigned on
>the OU level) to force content of specified security group
- for example
> local administrators on client machine. IF You set this
settings in
>GPO on the OU level and then define in this GPO that in
the builtin
>administrators group only UsersA,UserB and DOmain Admins
can be a member
>of local administrators group this setting will be forced
on all
>machines affected by this GPO.
>If somebody change this group membership on the next time
policy will
>applied the membership of local administrators group (for
example) will
>be set as defined in GPO.
>
>--
>Tomasz Onyszko [MVP]
>(E-Mail Removed)
>http://www.w2k.pl
>.
>

Srinivas Acharya wrote:

> This is fine. But I don't how to configure this.Please help me.
OK, create a GPO on the OU and edit it - next: Computer configuration ->
Windows Settings -> Security Settings -> Restricted groups

Rigth click -> add group -> Administrators



--
Tomasz Onyszko [MVP]
(E-Mail Removed)
http://www.w2k.pl

Hi
Thanks for the quick answer.

I know that.But I can't understand how it will work because
I added domain user to administrator group in the
restricted group of GPO on that OU. But when login as that
user on that PC, I don't have admin previleges. Is there
any thing that I have to do.
Regards,
Srinivas Acharya

>-----Original Message-----
>Srinivas Acharya wrote:
>
>> This is fine. But I don't how to configure this.Please
help me.
>OK, create a GPO on the OU and edit it - next: Computer
configuration ->
>Windows Settings -> Security Settings -> Restricted groups
>
>Rigth click -> add group -> Administrators
>
>
>
>--
>Tomasz Onyszko [MVP]
>(E-Mail Removed)
>http://www.w2k.pl
>.
>

Hi,
Any how I managed to add the domain user to local
administrator group with the help of restricted groups. but
now I have moved that PC from that OU. But still that user
is in the administrator group. Why still that user is
having admin previleges even though that user is no more in
that OU. Please any of you could address this issue?.
Regards,
Srinivas Acharya


>-----Original Message-----
>Hi
>Thanks for the quick answer.
>
>I know that.But I can't understand how it will work because
>I added domain user to administrator group in the
>restricted group of GPO on that OU. But when login as that
>user on that PC, I don't have admin previleges. Is there
>any thing that I have to do.
>Regards,
>Srinivas Acharya
>
>>-----Original Message-----
>>Srinivas Acharya wrote:
>>
>>> This is fine. But I don't how to configure this.Please
>help me.
>>OK, create a GPO on the OU and edit it - next: Computer
>configuration ->
>>Windows Settings -> Security Settings -> Restricted groups
>>
>>Rigth click -> add group -> Administrators
>>
>>
>>
>>--
>>Tomasz Onyszko [MVP]
>>(E-Mail Removed)
>>http://www.w2k.pl
>>.
>>
>.
>