Local admin

Lee H

Hi

How can i make my domain account give me local admin on every machine i log into, not too savvy with server, and i have never made this possible before

Thanks

Lee H

sprkymrk

Use restricted groups in a GPO, add your domain account to Administrators.

Sorry for lack of detailed steps, there are 180 new posts since my last logon I have to skim through while at work - but maybe this will give you a place to start researching, it's pretty easy.

dave0212

You can populate the local admins group via group policy using restricted groups setting

dave0212

Here's how

Create a new or edit your current default domain group policy

Under Computer Configuration
Expand Windows Settings
Expand Security Settings
Select Restricted Groups
Right click in the pane and Add Group
and set as appropiate

Lee H

Thanks for your response

I may have read this incorrectly but if I use restricted groups does that remove all local admin accounts from the local PC, read article below which states "Restricted Groups would then replace the current members of the localAdmins group with the users and groups you filled into the box. Please recognize my words, it would replace them - just wipe existing users out of the localAdmins group."


http://www.frickelsoft.net/blog/?p=13


If a new container is created in AD called "Local Admin" and mu user account is put in there, I then edit a GPO for that container and configure the restircted groups by adding a group called Local Admin which my user account is a member of

Am I on the right track

Lee H

dave0212

The way I have done this is to create a group called Administrators in restricted groups and add the domain and enterprise admins to the Members of this group box. It will remove any members of the local admins group that you do not specify, if anyone modifies this locally the accounts will be removed on the next GPO refresh.

Lee H

Well oddly enough, each user of hi/her PC is actually a local admin of that PC only

And its not even possible to put every user in that group cos then they would essentially be admin on every PC which cannot be done

How easy is it to run a VB script, I know nothing about VB so please if you can help tell me slowly, lol

Thanks for all your help guys, much appreciated

Lee H

dave0212

Just read that link,

I have done a direct update to the local admins group administrators removing the local settings. You can do this the other way round by creating a group and adding your user and then setting that to become a member of administrators group as discussed in the link

I do it the other way to control and limit local admin access on the domain computers to only support personnel

Lee H

Hi

This particular way of making a standard domain user account "local admin" of any PC on the domain is not a good one if there are already user/s who have been given "local admin" on particular PC's as it removes there admin access,

For MS to include this feature in server 2003 I find it hard to understand that they have not taken into account the fact that many companies have no option but to grant local admin access to users for certain software titles to work,

Is there any way of adjusting this so it doesnt remove current local admin rights?

Lee H

dave0212

Yes if you do it the opposite way to how I have done it.

If you create a group called LocalAdmins in AD and add your user account

Then in the default Domain Policy or a new one
Create a restricted group for
YOURDOMAIN\LocalAdmins
and in the "This group is a member of" and type Administrators

This should leave your current local admins intact

I do it the other way round to prevent users installing applications etc

dave0212

dave0212 wrote:

Yes if you do it the opposite way to how I have done it.

If you create a group called LocalAdmins in AD and add your user account

Then in the default Domain Policy or a new one
Create a restricted group for
YOURDOMAIN\LocalAdmins
and in the "This group is a member of" and type Administrators

This should leave your current local admins intact

I do it the other way round to prevent users installing applications etc

Just tested this and it does leave local settings intact and merely adds the additional group. Never tried it this way before.

Lee H

Excellent David, thanks very much