local computer admins

[John M]

We want to use group policy to control what accounts get put into the
administrators group on users pcs. I know how to do this.. no problem.
How do I add indviual users to the administrators group to their pc only?
With out the group policy over riding it. In the past we've created a local
admin group in the domain, put users in there, and add that group to their
pc. The problem here is that everyone in that group gets local admin to all
the computers that have the domain local admin group.

Thanks
John

 

[Roger Abell]

The short answer is that you don't do this with group policy.
You could use a startup script that is sensitive to which machine
it is executing upon and check/adjust the membership of the local
administrators group. If this is done you must drop the restricted
group definition of administrators for such a startup scripted machine.
The alternatives are third-party products that extend group policy,
or using one GPO for each single machine.

 

[Guest]

This probably isn't the best method but is something alone the lines of what
you could do.

You could create a batch file with the following line as a logon script.
Obviously you don't want to leave this inplace for long as it is, or
possibly add some type of validation so that users don't go logon to several
machines and become admins.

net localgroup administrators northamerica\%username% /add

 

[Roger Abell]

A non-admin user is not able to add themselves to the Administrators group.
Machine startup scripts run with sufficient premissions, login scripts not.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

This probably isn't the best method but is something alone the lines of what
you could do.

You could create a batch file with the following line as a logon script.
Obviously you don't want to leave this inplace for long as it is, or
possibly add some type of validation so that users don't go logon to several
machines and become admins.

net localgroup administrators northamerica\%username% /add


--
James Brandt [MSFT]

We want to use group policy to control what accounts get put into the
administrators group on users pcs. I know how to do this.. no problem.
How do I add indviual users to the administrators group to their pc only?
With out the group policy over riding it. In the past we've created a
local
admin group in the domain, put users in there, and add that group to their
pc. The problem here is that everyone in that group gets local admin to
all
the computers that have the domain local admin group.

Thanks
John

 

[John M]

thanks for the replies, we found a script to add users to the local
accounts, and will add it to the gpo machine logon script

John

A non-admin user is not able to add themselves to the Administrators group.
Machine startup scripts run with sufficient premissions, login scripts not.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

This probably isn't the best method but is something alone the lines of what
you could do.

You could create a batch file with the following line as a logon script.
Obviously you don't want to leave this inplace for long as it is, or
possibly add some type of validation so that users don't go logon to several
machines and become admins.

net localgroup administrators northamerica\%username% /add


--
James Brandt [MSFT]

We want to use group policy to control what accounts get put into the
administrators group on users pcs. I know how to do this.. no problem.
How do I add indviual users to the administrators group to their pc only?
With out the group policy over riding it. In the past we've created a
local
admin group in the domain, put users in there, and add that group to their
pc. The problem here is that everyone in that group gets local admin to
all
the computers that have the domain local admin group.

Thanks
John