Use Active Directory to set work station local rights

[Eric W. Holzapfel]

Hello Active Directory,

I have a win 2000 server, and would like to be able to allow a group of
users to have administrator privileges (not domain administrator privs)
on the work station(s) then log in to. I would like to permit admin
rights on the workstation without having to go to each work station, and
adding the specific user to the local administrators group. Can I do
this with Active Directory and some sort of group policy?

Thanks,

eric

 

[Cary Shultz [A.D. MVP]]

Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[ptwilliams]

An alternative to Restricted Groups, as the interface causes many to
stumble, is to use a startup script that uses the net localgroup command via
a batch file. Something like this:

net localgroup administrators /add DOMAIN\GroupName


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Cary Shultz [A.D. MVP]]

But, then you loose the point of restricting which user account objects /
group objects can be made members of what local group accounts....If you do
that, then anyone can still be made a member of the local Administrators
group.

Do not get me wrong, it is still a way to accomplish what they want to
do...just partially, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

An alternative to Restricted Groups, as the interface causes many to
stumble, is to use a startup script that uses the net localgroup command
via
a batch file. Something like this:

net localgroup administrators /add DOMAIN\GroupName


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying
to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is
yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Hello Active Directory,

I have a win 2000 server, and would like to be able to allow a group of
users to have administrator privileges (not domain administrator privs)
on the work station(s) then log in to. I would like to permit admin
rights on the workstation without having to go to each work station, and
adding the specific user to the local administrators group. Can I do
this
with Active Directory and some sort of group policy?

Thanks,

eric

 

[ptwilliams]

Ah yes, the actual reason for the feature. I tend to forget about that, as
it seems to be only used to add people to groups - no one seems to care
about keeping specific groups members ;-)

Good point!!!


How's it going anyway? Has your second son come along yet?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

But, then you loose the point of restricting which user account objects /
group objects can be made members of what local group accounts....If you do
that, then anyone can still be made a member of the local Administrators
group.

Do not get me wrong, it is still a way to accomplish what they want to
do...just partially, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

An alternative to Restricted Groups, as the interface causes many to
stumble, is to use a startup script that uses the net localgroup command
via
a batch file. Something like this:

net localgroup administrators /add DOMAIN\GroupName


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying
to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is
yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Hello Active Directory,

I have a win 2000 server, and would like to be able to allow a group of
users to have administrator privileges (not domain administrator privs)
on the work station(s) then log in to. I would like to permit admin
rights on the workstation without having to go to each work station, and
adding the specific user to the local administrators group. Can I do
this
with Active Directory and some sort of group policy?

Thanks,

eric

 

[Cary Shultz [A.D. MVP]]

I find that the interface is not so bad. If you are doing it from a
workstation with the Adminpak installed. From a Domain Controller it is
indeed a bit, er, convoluted!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Ah yes, the actual reason for the feature. I tend to forget about that,
as
it seems to be only used to add people to groups - no one seems to care
about keeping specific groups members ;-)

Good point!!!


How's it going anyway? Has your second son come along yet?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

But, then you loose the point of restricting which user account objects /
group objects can be made members of what local group accounts....If you
do
that, then anyone can still be made a member of the local Administrators
group.

Do not get me wrong, it is still a way to accomplish what they want to
do...just partially, though.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

An alternative to Restricted Groups, as the interface causes many to
stumble, is to use a startup script that uses the net localgroup command
via
a batch file. Something like this:

net localgroup administrators /add DOMAIN\GroupName


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Eric,

This question is asked quite often. Please take a look at Restricted
Groups.....

Just remember that you want to strongly consider creating this GPO on a
workstation that has the ADMINPAK installed...Otherwise, have fun trying
to
figure it all out! I just about tore my hair out [ and as my wife would
point out, it is not 'hairs', just hair! ;-) ] trying to do all of it on
a
Domain Controller. Possible, but really difficult. Go with the
workstation solution.

Anyway, you should be doing just about all of your admin stuff on a
workstation, anyway ( but that is how I like to do it...the choice is
yours
and I can not tell anyone how to do things... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Hello Active Directory,

I have a win 2000 server, and would like to be able to allow a group of
users to have administrator privileges (not domain administrator privs)
on the work station(s) then log in to. I would like to permit admin
rights on the workstation without having to go to each work station, and
adding the specific user to the local administrators group. Can I do
this
with Active Directory and some sort of group policy?

Thanks,

eric