Local admin through group policy and keep admin on local machine?

Local admin through group policy and keep admin on local machine?

Post by S2V2aW4gUm » Fri, 23 Mar 2007 08:10:05


I have created a local admin group policy giving a group admin rights over an
OU (this is to be for our help desk). Some of our software programs require
users to have local admin access as well (so I give it to them through their
domain account on the local PC-I don't want to add them to help desk group
and give them local admin on all the OU PCs). The problem is that the
following day the admin account on the local PC is automatically removed from
the list of administrators. I have this set up in a beta environment so we
don't have to go to each machine, each day, to add them back in. Any ideas on
how to block this? I have tried to turn "no override" on in the GP options,
but this too disappears the following day. Is there anyway I can speed up
whatever cycle time it is on so that I don't have to wait a day to see if it
works? (I always do a forced update after I make changes). Thanks in advance.
 
 
 

Local admin through group policy and keep admin on local machine?

Post by Al Mulnic » Fri, 23 Mar 2007 08:58:05

A change in approach is probably warranted. Consider doing this with
startup scripts vs. restricted groups and use the GPO to enforce the startup
scripts. The startup script would just add the domain group to the local
administrators vs. making it the only group.

There are several examples of how to do this on the web. Search for
restricted groups local administrators and you should find what you're
after.

Al

 
 
 

Local admin through group policy and keep admin on local machine?

Post by Roger Abel » Fri, 23 Mar 2007 17:51:23

The way I am hearing this is that you need a custom support
group to always be in the machine local Administrators group
on all of a set of machines that you have in an OU, and then,
on some of those machines you also need to have the domain
account of a user of the machine, and this last part differs per
machine.
How I would go about this is via Restricted Group definintion
in GPO for the custom support group, and then adding the per
machine domain account via script (just run at cmd prompt) or
via manual addition if number of machines needing this is small.
To add the custom support group, let us say it is named Support,
a domain group, use a GPO that is linked to the OU and in it
define as a Restricted Group "Support" (yes, not Administrators
but Support, the group to be added to each local Administrators
group). In the Restricted Group definition leave the Members
list empty, and in the Member Of list add Administrators.
If you want to control the domain accounts that are members in
Support, do this in a GPO that has the DCs OU within its scope.
The GPO linked to the OU will make sure that Support is in
Administrators and it will not cause anything that is already
in the machine local Administrators group to be removed.
If you then add the per machine domain account as/where
needed it will stay a member of Administrators. If that domain
user removes Support from their machine's Administrators group
the Support group will be restored as a member as soon as the
GPO is reapplied.

As far as you wanting to immediately refresh policy, it sounds
like you have tried gpudate on the client but not find it to work.
If that is the case it may be that you did this before the changed
GPO had replicated to the DC preferred by that client. Make
sure that you use the /force switch.

Roger
 
 
 

Local admin through group policy and keep admin on local machine?

Post by Paul Bergs » Fri, 23 Mar 2007 22:06:16

You could use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.yqcomputer.com/

http://www.yqcomputer.com/

http://www.yqcomputer.com/


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.yqcomputer.com/

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

Local admin through group policy and keep admin on local machine?

Post by Roger Abel » Sat, 24 Mar 2007 00:34:45

"Al Mulnick" < XXXX@XXXXX.COM > wrote in message
news:%23Pqo5$ XXXX@XXXXX.COM ...


Works like a champ - post W2k3 SP4, XP SP2, W2k3 SP1 clients of the GPO.
We use it to provision for our client system support unit's subsets of
people.

In case of poster, to do all from client side sounds like they would have to
have a number of GPOs that each target one machine (for the per machine
unique domain account that ought be member in addition to the uniform group)

Roger




 
 
 

Local admin through group policy and keep admin on local machine?

Post by Paul Bergs » Sat, 24 Mar 2007 05:53:18

f you want to make your help desk local admins, I have found this works
best.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Al Mulnick" < XXXX@XXXXX.COM > wrote in message
news:%23Pqo5$ XXXX@XXXXX.COM ...