Options
Group Policy - Restricted Users Question
I have a W2k3 domain, and need to find a way to add whoever logs in (domain logins) to the local administrator group. From what I can tell, I've read to use restricted groups in group policy to accomplish this. Has anyone done this, because the policy is not very intuitive...and nowhere in creating the policy can I select the local admin group.
Im wondering if there might be some kind of a handy login script I could use...or any other method if there are better ideas.
Im wondering if there might be some kind of a handy login script I could use...or any other method if there are better ideas.
Comments
-
OptionsClaymoore Member Posts: 1,637Let me start by saying that giving everyone administrator access to their PCs is a very bad idea. I hope this is only for a small set of users that actually require admin access to perform their jobs. Otherwise look into opening specific rights through Group Policy rather than giving everyone blanket admin access. When you give everyone admin rights, you have effectively turned your corporate network into an unmanaged system. You might as well allow everyone to bring their own PCs and plug them in to your network.
You can select the Local Administrators group, but you have to change the scope in the drop-down box where you search. Instead of looking at the domain, choose your local PC. This will bring up the local groups, including Administrators and Remote Desktop Users.
Adding anyone to this group REMOVES whomever is already in the local group. This can play hell with the workstations so you have to remember to include the Local System and Network Service accounts (also from your local PC) in the local admin group. If you look at the admin group now, they won't appear, but leaving them out will break all kinds of things like WMI. Definitely test your settings before pushing the GPO to everyone. -
Optionsblargoe Member Posts: 4,174 ■■■■■■■■■□The Restricted Groups GPO will have a list of user SIDs that will be forced into the group that you specify. In this case I think you can't really use restricted groups, because the user is going to be dynamic, not determined until logon.
I'm pretty sure there is a way in the command line to modify local groups... if you wanted to deploy this in a logon script, you'd have to run the command in the logon script as a user that has admin rights on every computer... e.g., a Domain Admin.
If you're letting whoever logs in be an admin, why not just put domain users in the local Administrators group?IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
Optionsbrad- Member Posts: 1,218Let me start by saying that giving everyone administrator access to their PCs is a very bad idea.
It is a serious pain, and we move people around quite often. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■The Restricted Groups GPO will have a list of user SIDs that will be forced into the group that you specify. In this case I think you can't really use restricted groups, because the user is going to be dynamic, not determined until logon.
You would use "NT AUTHORITY\interactive".
Here is another article:
How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations
I would just add interactive to the local admins on *ONLY* the systems that required it. How many are we talking about? Is it a pain to configure? -
Optionsbrad- Member Posts: 1,218RobertKaucher wrote: »You would use "NT AUTHORITY\interactive".
I would just add interactive to the local admins on *ONLY* the systems that required it. How many are we talking about? Is it a pain to configure? -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■Do you have a list of the IPs or the hostnames? You could script net local group using PSExec.
-
Optionsbrad- Member Posts: 1,218RobertKaucher wrote: »Do you have a list of the IPs or the hostnames? You could script net local group using PSExec.
I have a list of both.
I am unfamiliar with PSexec. I googled but the examples were sparse. Do you have any examples by chance? I saw one that points to a text file containing the computer names, but I dont know what format to put them in, if that is in fact servers to run it on, or computers to apply it to...so many questions. -
OptionsDevilsbane Member Posts: 4,214 ■■■■■■■■□□You could simply go to each workstation and add domain users to the local administror group. This could be done via a script too to automate things (using the cacls command).
Like some others have said, granting admin rights to each person is typically a bad idea. While convenient, and dumb user can easily break their own computer and potentially others as well.
Before giving everyone admin rights, make sure you fully exhaust different compatibility modes. Even adding users to the power users group is better than unleashing the world.Decide what to be and go be it. -
Optionsbrad- Member Posts: 1,218Devilsbane wrote: »You could simply go to each workstation and add domain users to the local administror group. This could be done via a script too to automate things (using the cacls command).
2 things. 1 - where were you 6 months ago? I could have had that done when I installed the equipment if i had known. 2 - Examples? -
OptionsDevilsbane Member Posts: 4,214 ■■■■■■■■□□Examples of how to add domain users to administrators or to use the cacls command?Decide what to be and go be it.
-
Optionsbrad- Member Posts: 1,218Devilsbane wrote: »Examples of how to add domain users to administrators or to use the cacls command?
-
Optionsundomiel Member Posts: 2,818Use restricted users to add the domain users to the workstations' administrator group. Or alternatively you could use net localgroup administrators "domain\Domain Users" /add if memory serves.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
Optionsblargoe Member Posts: 4,174 ■■■■■■■■■□RobertKaucher wrote: »You would use "NT AUTHORITY\interactive".IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...