Group Policy - Restricted Users Question

brad-

I have a W2k3 domain, and need to find a way to add whoever logs in (domain logins) to the local administrator group. From what I can tell, I've read to use restricted groups in group policy to accomplish this. Has anyone done this, because the policy is not very intuitive...and nowhere in creating the policy can I select the local admin group.

Im wondering if there might be some kind of a handy login script I could use...or any other method if there are better ideas.

RobertKaucher

Have you seen this article?

Using Restricted Groups

Claymoore

Let me start by saying that giving everyone administrator access to their PCs is a very bad idea. I hope this is only for a small set of users that actually require admin access to perform their jobs. Otherwise look into opening specific rights through Group Policy rather than giving everyone blanket admin access. When you give everyone admin rights, you have effectively turned your corporate network into an unmanaged system. You might as well allow everyone to bring their own PCs and plug them in to your network.

You can select the Local Administrators group, but you have to change the scope in the drop-down box where you search. Instead of looking at the domain, choose your local PC. This will bring up the local groups, including Administrators and Remote Desktop Users.

Adding anyone to this group REMOVES whomever is already in the local group. This can play hell with the workstations so you have to remember to include the Local System and Network Service accounts (also from your local PC) in the local admin group. If you look at the admin group now, they won't appear, but leaving them out will break all kinds of things like WMI. Definitely test your settings before pushing the GPO to everyone.

blargoe

The Restricted Groups GPO will have a list of user SIDs that will be forced into the group that you specify. In this case I think you can't really use restricted groups, because the user is going to be dynamic, not determined until logon.

I'm pretty sure there is a way in the command line to modify local groups... if you wanted to deploy this in a logon script, you'd have to run the command in the logon script as a user that has admin rights on every computer... e.g., a Domain Admin.

If you're letting whoever logs in be an admin, why not just put domain users in the local Administrators group?

brad-

Claymoore wrote: »

Let me start by saying that giving everyone administrator access to their PCs is a very bad idea.

We have some old credit card equipment that requires local admin rights for the pinpad to work consistently, and to load the drivers for the magswipe and receipt printer.

It is a serious pain, and we move people around quite often.

RobertKaucher

blargoe wrote: »

The Restricted Groups GPO will have a list of user SIDs that will be forced into the group that you specify. In this case I think you can't really use restricted groups, because the user is going to be dynamic, not determined until logon.

You would use "NT AUTHORITY\interactive".

Here is another article:
How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations

I would just add interactive to the local admins on *ONLY* the systems that required it. How many are we talking about? Is it a pain to configure?

brad-

RobertKaucher wrote: »

You would use "NT AUTHORITY\interactive".


I would just add interactive to the local admins on *ONLY* the systems that required it. How many are we talking about? Is it a pain to configure?

About 70. Not really a pain, but time consuming and somewhat interruptive. I basically have to logon to each machine as admin, add the domain user account to the local admin group.

RobertKaucher

Do you have a list of the IPs or the hostnames? You could script net local group using PSExec.

brad-

RobertKaucher wrote: »

Do you have a list of the IPs or the hostnames? You could script net local group using PSExec.

I have a list of both.

I am unfamiliar with PSexec. I googled but the examples were sparse. Do you have any examples by chance? I saw one that points to a text file containing the computer names, but I dont know what format to put them in, if that is in fact servers to run it on, or computers to apply it to...so many questions.

Devilsbane

You could simply go to each workstation and add domain users to the local administror group. This could be done via a script too to automate things (using the cacls command).

Like some others have said, granting admin rights to each person is typically a bad idea. While convenient, and dumb user can easily break their own computer and potentially others as well.

Before giving everyone admin rights, make sure you fully exhaust different compatibility modes. Even adding users to the power users group is better than unleashing the world.

brad-

Devilsbane wrote: »

You could simply go to each workstation and add domain users to the local administror group. This could be done via a script too to automate things (using the cacls command).

2 things. 1 - where were you 6 months ago? I could have had that done when I installed the equipment if i had known. 2 - Examples?

Devilsbane

Examples of how to add domain users to administrators or to use the cacls command?

brad-

Devilsbane wrote: »

Examples of how to add domain users to administrators or to use the cacls command?

cacls. I can add users to local admin np...but if cacls can be used easily to perform the same function without going to each machine I'd rather use it.

undomiel

Use restricted users to add the domain users to the workstations' administrator group. Or alternatively you could use net localgroup administrators "domain\Domain Users" /add if memory serves.

blargoe

RobertKaucher wrote: »

You would use "NT AUTHORITY\interactive".

Hadn't thought of that.