Local admin

Lee HLee H Member Posts: 1,135
in Server 70-290
Hi

How can i make my domain account give me local admin on every machine i log into, not too savvy with server, and i have never made this possible before

Thanks

Lee H
.
· Share on FacebookShare on Twitter

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Use restricted groups in a GPO, add your domain account to Administrators.

    Sorry for lack of detailed steps, there are 180 new posts since my last logon I have to skim through while at work - but maybe this will give you a place to start researching, it's pretty easy.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • dave0212dave0212 Member Posts: 287
    You can populate the local admins group via group policy using restricted groups setting
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
    · Share on FacebookShare on Twitter
  • dave0212dave0212 Member Posts: 287
    Here's how

    Create a new or edit your current default domain group policy

    Under Computer Configuration
    Expand Windows Settings
    Expand Security Settings
    Select Restricted Groups
    Right click in the pane and Add Group
    and set as appropiate
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
    · Share on FacebookShare on Twitter
  • Lee HLee H Member Posts: 1,135
    Thanks for your response

    I may have read this incorrectly but if I use restricted groups does that remove all local admin accounts from the local PC, read article below which states "Restricted Groups would then replace the current members of the localAdmins group with the users and groups you filled into the box. Please recognize my words, it would replace them - just wipe existing users out of the localAdmins group."


    http://www.frickelsoft.net/blog/?p=13


    If a new container is created in AD called "Local Admin" and mu user account is put in there, I then edit a GPO for that container and configure the restircted groups by adding a group called Local Admin which my user account is a member of

    Am I on the right track

    Lee H
    .
    · Share on FacebookShare on Twitter
  • dave0212dave0212 Member Posts: 287
    The way I have done this is to create a group called Administrators in restricted groups and add the domain and enterprise admins to the Members of this group box. It will remove any members of the local admins group that you do not specify, if anyone modifies this locally the accounts will be removed on the next GPO refresh.
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
    · Share on FacebookShare on Twitter
  • Lee HLee H Member Posts: 1,135
    Well oddly enough, each user of hi/her PC is actually a local admin of that PC only

    And its not even possible to put every user in that group cos then they would essentially be admin on every PC which cannot be done

    How easy is it to run a VB script, I know nothing about VB so please if you can help tell me slowly, lol

    Thanks for all your help guys, much appreciated

    Lee H
    .
    · Share on FacebookShare on Twitter
  • dave0212dave0212 Member Posts: 287
    Just read that link,

    I have done a direct update to the local admins group administrators removing the local settings. You can do this the other way round by creating a group and adding your user and then setting that to become a member of administrators group as discussed in the link

    I do it the other way to control and limit local admin access on the domain computers to only support personnel
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
    · Share on FacebookShare on Twitter
  • Lee HLee H Member Posts: 1,135
    Hi

    This particular way of making a standard domain user account "local admin" of any PC on the domain is not a good one if there are already user/s who have been given "local admin" on particular PC's as it removes there admin access,

    For MS to include this feature in server 2003 I find it hard to understand that they have not taken into account the fact that many companies have no option but to grant local admin access to users for certain software titles to work,

    Is there any way of adjusting this so it doesnt remove current local admin rights?

    Lee H
    .
    · Share on FacebookShare on Twitter
  • dave0212dave0212 Member Posts: 287
    Yes if you do it the opposite way to how I have done it.

    If you create a group called LocalAdmins in AD and add your user account

    Then in the default Domain Policy or a new one
    Create a restricted group for
    YOURDOMAIN\LocalAdmins
    and in the "This group is a member of" and type Administrators

    This should leave your current local admins intact

    I do it the other way round to prevent users installing applications etc
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
    · Share on FacebookShare on Twitter
  • dave0212dave0212 Member Posts: 287
    dave0212 wrote:
    Yes if you do it the opposite way to how I have done it.

    If you create a group called LocalAdmins in AD and add your user account

    Then in the default Domain Policy or a new one
    Create a restricted group for
    YOURDOMAIN\LocalAdmins
    and in the "This group is a member of" and type Administrators

    This should leave your current local admins intact

    I do it the other way round to prevent users installing applications etc

    Just tested this and it does leave local settings intact and merely adds the additional group. Never tried it this way before.
    This week I have achieved unprecedented levels of unverifiable productivity


    Working on
    Learning Python and OSCP
    · Share on FacebookShare on Twitter
  • Lee HLee H Member Posts: 1,135
    Excellent David, thanks very much
    .
    · Share on FacebookShare on Twitter
Sign In or Register to comment.