part -8 group policy

Adding a Domain Group to the Local Administrators Group

KB ID 0000589 Dtd 02/04/12

Problem

This weekend I've been doing a school migration, (go live is tomorrow). Just as we were finishing up today, we found out a client application needed a certain user group to have LOCALadministrator rights on the client machines.
I remembered that it could be done and it had something to do with "Restricted Groups". So when I got home I fired up the test network and ran though it for tomorrow.

Solution

1. Launch "Active Directory Users and Computers" (Start > Run > dsa.msc {enter}). Ensure you have a domain security group, (Not a distribution group) with the domain members you wish to grant access to.
Domain Security Group
2. On a domain Controller, Start > Administrative Tools > Group Policy Management > Locate the OU that contains the computers that you wish to grant administrative rights to > Right Click >Create a GPO in this domain, and Link it here.
Warning: Do not create a GPO on an OU that contains servers or anything you would NOT want you users to have administrative access to.
Create a GPO
3. Give the policy a sensible name.
Name a GPO
4. Edit the policy that you have just created.
Edit a GPO
5. Navigate to:
Right click > Add Group.
Add Restricted Group
6. Browse and locate your domain security group > OK.
Add Domain Group To Restricted Group
7. Under "This group is a member of" > Add > Add in Administrators >OK.
Add Domain Group To Local Group
8. Apply > OK
Add Security Group To Local Group
9. Now on your clients, the domain group will be added to the local administrators group.
Note: this may require a reboot or a "gpupdate /force" command.
Local Administrator Group Add Domain Group

Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)