Making a Domain Group Local Admins Via Group Policy

[Paul Anderson]

I want to create a Support Engineer group for our support guys, so they can
have local but not domain admin rights.

I would like to do it through group policy by applying it to an OU so that
they have local admin rights to any machines under that OU. How do I do
this ?

I've been adding them to the local Administrators group on each machine by
script, but this is cumbersome and needs to be done every time a new machine
is added to the network. Having this done automatically through Group
Policy would be much tidier.

Details:

Desktop O/S: Windows XP SP2
Server O/S: Windows Server 2003
Active Directory mode: 2003 Native

 

[Jerold Schulman]

I want to create a Support Engineer group for our support guys, so they can
have local but not domain admin rights.

I would like to do it through group policy by applying it to an OU so that
they have local admin rights to any machines under that OU. How do I do
this ?

I've been adding them to the local Administrators group on each machine by
script, but this is cumbersome and needs to be done every time a new machine
is added to the network. Having this done automatically through Group
Policy would be much tidier.

Details:

Desktop O/S: Windows XP SP2
Server O/S: Windows Server 2003
Active Directory mode: 2003 Native

See tip 5319 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com

 

[Cary Shultz [A.D. MVP]]

Paul,

This question is asked at least 10 times a week! ;-)

Please search this NG for 'Restricted Groups'. That is your answer.

And, most people would suggest that normal user account objects are *NOT*
added to the computers local Administrator group. I can sing a song or two
about users deleting their FONTS folder to make room for their music files
or to make sure that only the fonts that they need for a project are
available! I know that this is for a Support Group. Just keep in mind that
for normal users this is a bad idea.

Now, when creating the GPO make sure that you follow the following MSKB
Article: http://support.microsoft.com/?id=320065. It is important that you
do this from a workstation that has the ADMINPAK installed. Even though
this article is for WIN2000 and you have WIN2003 the same concepts apply.
Do it from a workstation or have fun trying to figure things out!

Additionally, be aware that the default behavior is to flush the contents of
the affected computer account objects local Administrators group and replace
it with the group that you specify. You might want to add two groups when
creating the GPO: the Support group that you have created and the Domain
Admins group. There is a fix for this that modifies the default behavior.
Please look at the following MSKB Article:
http://support.microsoft.com/?id=810076. I might stay with the default,
though. This way you know who is a member.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com