Add a computer which joined domain to its own local admin group. will any users login on this computer be local administrator of this computer?
-
Tuesday, February 15, 2011 4:20 AMas the title
Answers
-
Tuesday, February 15, 2011 6:14 PM
The local computer object has System permissions on the local computer, which grants all permissions locally. For example, a Startup script runs with System privileges and can modify the local registry and local files and install software. The computer object uses the credentials of the AD computer object elsewhere in the domain. There is no need to make the AD computer object, or the local computer object, a member of the local Administrators group.
Richard Mueller
MVP ADSI- Marked As Answer by Bruce-LiuMicrosoft Contingent Staff, Moderator Thursday, February 24, 2011 3:07 AM
-
Tuesday, February 15, 2011 6:20 PM
I should add, if the aim is to make all domain users that logon to the computer local Administrators (which is not recommended), their are better solutions. I would recommend making all users members of a domain group, such as LocalAdms (you could also use the group "Domain Users", but I'd rather limit this to specified users of your choice). Then use the Restricted Groups feature of a GPO to specify this group as a member of all local Administrator groups on all computers in the domain. For more on Restricted Groups, see these links:
http://support.microsoft.com/kb/279301
http://msdn.microsoft.com/en-us/library/ms814788.aspx
http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx
Richard Mueller
MVP ADSI- Marked As Answer by Bruce-LiuMicrosoft Contingent Staff, Moderator Thursday, February 24, 2011 3:08 AM
-
Wednesday, February 16, 2011 5:47 AMModerator
Agree with Richard that if you would like to make domain users that logon to the computer to be local Administrators, you can use the feature "Restricted Groups" in Group Policy. Here is another article which might be helpful for you:
How To Use Restricted Groups?
http://www.frickelsoft.net/blog/?p=13
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked As Answer by Bruce-LiuMicrosoft Contingent Staff, Moderator Thursday, February 24, 2011 3:08 AM
All Replies
-
Tuesday, February 15, 2011 8:27 AM
You can configure specific group in AD that can be nested to the local administrators group on every workstations added to the domain. Users, which you will put there, have local administrator rights. So you can do it via group policy, Computer Configuration\Windows Settings\Restricted Groups.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://technet.microsoft.com/en-us/library/cc756802(WS.10).aspx
If you need to add users to local administrators groups only on a specific computer, you can do it manually via Computer Management on the workstation.
-
Tuesday, February 15, 2011 8:36 AM
Add a computer which joined domain to its own local admin group. will any users login on this computer be local administrator of this computer?
as the title
Do you mean adding Domain User(Duser) to Local Administrators Group?
Follow these Steps:
1. Create a text file and name it CompList.txt
2. Put all the client computer names in it.
3. Next, run the following command:
Psexec.exe -@CompList.TXT Net LocalGroup Administrators DomainName.COM/Duser /add
The above command runs against each computer mentioned in the CompList.TXT and adds the Duser to Local Administrators Security Group.
You can download the Psexec.exe from here: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Thanks
-
Tuesday, February 15, 2011 8:53 AMThanks. I mean add computer not user.
-
Tuesday, February 15, 2011 8:58 AMYou couldn't add a computer to local administrators group. As I know.
-
Tuesday, February 15, 2011 9:00 AMWhat I mean is I add the computer name to local admin group. Then will all domain users login to this computer be local admin of this computer. I don't need to add domain user to its local admin group. I would like to know if it is right.
-
Tuesday, February 15, 2011 6:14 PM
The local computer object has System permissions on the local computer, which grants all permissions locally. For example, a Startup script runs with System privileges and can modify the local registry and local files and install software. The computer object uses the credentials of the AD computer object elsewhere in the domain. There is no need to make the AD computer object, or the local computer object, a member of the local Administrators group.
Richard Mueller
MVP ADSI- Marked As Answer by Bruce-LiuMicrosoft Contingent Staff, Moderator Thursday, February 24, 2011 3:07 AM
-
Tuesday, February 15, 2011 6:20 PM
I should add, if the aim is to make all domain users that logon to the computer local Administrators (which is not recommended), their are better solutions. I would recommend making all users members of a domain group, such as LocalAdms (you could also use the group "Domain Users", but I'd rather limit this to specified users of your choice). Then use the Restricted Groups feature of a GPO to specify this group as a member of all local Administrator groups on all computers in the domain. For more on Restricted Groups, see these links:
http://support.microsoft.com/kb/279301
http://msdn.microsoft.com/en-us/library/ms814788.aspx
http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx
Richard Mueller
MVP ADSI- Marked As Answer by Bruce-LiuMicrosoft Contingent Staff, Moderator Thursday, February 24, 2011 3:08 AM
-
Wednesday, February 16, 2011 5:47 AMModerator
Agree with Richard that if you would like to make domain users that logon to the computer to be local Administrators, you can use the feature "Restricted Groups" in Group Policy. Here is another article which might be helpful for you:
How To Use Restricted Groups?
http://www.frickelsoft.net/blog/?p=13
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked As Answer by Bruce-LiuMicrosoft Contingent Staff, Moderator Thursday, February 24, 2011 3:08 AM
.png){kind=spacer}
