Administering OUs

S

Srinivas Acharya

Hi All,
I have created OU in active directory and added many number
of computers to that OU. I want some body to manage that
OU. I mean that person should be able to carry out all the
admin tasks if he locally logs on to those computers,
coming under that OU only. He should not have admin
previliges on other computers of different OU.

One way to do this is by go on adding that user to local
admins group of all workstations. This is lenthy process. I
want to achieve this by simply defining administrator for
that OU?.

Is it possible to do that. If possible, how?. Can you
eloborate please?. Some body told in my earlier related
query that it is possible by restricted groups?. They have
not eloborated? I don't know what are these restricted
groups? what is the purpose of them?..

Thanks in advance.
Regards,
Srinivas Acharya
 
T

Tomasz Onyszko

Srinivas said:
Is it possible to do that. If possible, how?. Can you
eloborate please?. Some body told in my earlier related
query that it is possible by restricted groups?. They have
not eloborated? I don't know what are these restricted
groups? what is the purpose of them?..
Click to expand...

Yes, restricted groups are proper solution for this problem.
Restricted groups are defined in the GPO (for example GPO assigned on
the OU level) to force content of specified security group - for example
local administrators on client machine. IF You set this settings in
GPO on the OU level and then define in this GPO that in the builtin
administrators group only UsersA,UserB and DOmain Admins can be a member
of local administrators group this setting will be forced on all
machines affected by this GPO.
If somebody change this group membership on the next time policy will
applied the membership of local administrators group (for example) will
be set as defined in GPO.
 
S

Srinivas Acharya

Hi,
"
IF You set this settings in
GPO on the OU level and then define in this GPO that in
Click to expand...
the builtin administrators group only UsersA,UserB and
DOmain Admins can be a member of local administrators group
this setting will be forced on all machines affected by
this GPO".

This is fine. But I don't how to configure this.Please help me.

Regards,
Srinivas Acharya
 
T

Tomasz Onyszko

Srinivas said:
This is fine. But I don't how to configure this.Please help me.
Click to expand...
OK, create a GPO on the OU and edit it - next: Computer configuration ->
Windows Settings -> Security Settings -> Restricted groups

Rigth click -> add group -> Administrators
 
S

Srinivas Acharya

Hi
Thanks for the quick answer.

I know that.But I can't understand how it will work because
I added domain user to administrator group in the
restricted group of GPO on that OU. But when login as that
user on that PC, I don't have admin previleges. Is there
any thing that I have to do.
Regards,
Srinivas Acharya
 
S

Srinivas Acharya

Hi,
Any how I managed to add the domain user to local
administrator group with the help of restricted groups. but
now I have moved that PC from that OU. But still that user
is in the administrator group. Why still that user is
having admin previleges even though that user is no more in
that OU. Please any of you could address this issue?.
Regards,
Srinivas Acharya
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Regarding OU 9
Migrating from multiple child domain environment to single domain with OUs. What's correct method? 5
Restricted Groups 2
Restricted groups 1
Planning for OU 2
OU creation question 1
Require Computer object before joining Workstation 3
problem with restricted users 1

Top