Administrative rights needed

[Arsen]

I have couple of users in my facility that need admin right to the local
machine but not to the domain. I have attempted many different things but
it still doesn't work. I have added the user to the local admin group, but
eventually the user gets removed from that group. I was told that the
restricted group policy had something to do with this, so I added the user
to the restricted group, but now they become domain admins, which is
something I do not want... is there anything I can do?

 

[Simon Geary]

Move the computers in question to a new OU which does not get the restricted
groups group policy applied. Then you will be able to add them to the local
administrator group.

Another option if the are trusted users is to give them the password for the
local administrator account on that machine and let them use the runas
service to do admin tasks.

 

[Arsen]

The first idea is a great one, but how do I force a gpo that is applied the
entire domain to not be applied on an OU within that domain?
I have about 20 different OU's

 

[Simon Geary]

If it's applied at the domain level that makes it a bit more difficult.
On the security tab of the domain group policy, you could set the 'Apply
Group Policy' permission to Deny for the relevant users and computers but of
course this would have an impact on all the other policies contained in the
GPO so this might not be an acceptable solution.

Group Policies are applied in the order: Site > Domain > OU so a Group
Policy set at the OU level will take precedence over a domain level policy
(except for account, IPSec and a few other settings that are domain wide).
So what you can do is configure a group policy on your new OU that
configures the restricted groups the way you want, this should reverse the
change made by the domain wide policy.

 

[Cary Shultz [A.D. MVP]]

Howdy! Howdy!

I might chime in here for a second. Simon, hope that you do not mind.

The Restricted User situation *MIGHT* be able to be resolved if you use the
*new* version. There is/was a patch that resolved exactly this situation.
With the *old* version, any user or group that was a member of the, in this
case, local Administrators group was replaced with whoever/whatever was
stipulated in the GPO. However, that was modified. With the *new* version
whatever users/groups were a member of the local Administrators group are
retained and whoever/whatever is stipulated by the GPO is simply added
to...aka does not replace.

Now that I have opened my big mouth I do not have the link to the MSKB
Article concerning this...I know that I experienced this problem a few moons
ago and contacted MS PSS and was given the modified file. I will have to
find it....Sorry for opening my mouth and not being able to deliver the
goods....

HTH,

Cary

 

[Simon Geary]

Hi Cary, I think this is the KB that explains the change
http://support.microsoft.com/?id=810076

The latest version of this GPO has two possible options. One that will
replace the current members of the group and one that will merge with the
current members of the group. This KB explains the difference
http://support.microsoft.com/?id=228496
In Arsen's case, he would want to use the replace method so that the domain
level GPO was removed.

 

[Cary Shultz [A.D. MVP]]

Thank you, Simon.

Hi Cary, I think this is the KB that explains the change
http://support.microsoft.com/?id=810076

The latest version of this GPO has two possible options. One that will
replace the current members of the group and one that will merge with the
current members of the group. This KB explains the difference
http://support.microsoft.com/?id=228496
In Arsen's case, he would want to use the replace method so that the domain
level GPO was removed.

which