Using group policy to add a security group of users in AD to the local admin group of a list of computers in a security group of computers in AD
-
Friday, January 04, 2013 7:51 PM
Want to know if there is way to use Group policy to add a security group of users in AD to security group of computers and put them in the local admin group? These machines are spread throughout different OUs and not located in just one OU. The goal is to grant access to a specific group local admin rights to these machines.
One thought was to add them via the security tab of security group of computers and grant full access. I selected 'this object and all descendant objects' objects and ensured all boxed are checked. The other options in that list was 'descendent computer objects' also. Just haven't tested it out to see what works. Thanks in advance!
All Replies
-
Friday, January 04, 2013 8:25 PM You can easily use "restricted groups", see http://www.theexperienceblog.com/2009/05/27/add-users-to-local-groups-on-the-windows-clients-easily/
Blogging about Windows for IT pros at www.theexperienceblog.com
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Monday, January 21, 2013 2:56 AM
-
Sunday, January 06, 2013 9:52 AM
What OS types?
Group Policy Preference with item level targeting looks like a good bet.
You can specify more finegrained Create/Update/Replace/Delete settings than with restricted groups Security GPO settin , and Item level targeting allows you to enter a security group with the computeraccounts (eq. security filtering).
I would advise not messing with delegated permissions on the particular AD computer objects themselves.- Edited by alt-92_ Sunday, January 06, 2013 9:59 AM
- Proposed As Answer by Alex Trofimov Monday, January 07, 2013 11:15 AM
-
Sunday, January 06, 2013 11:52 AM
Want to know if there is way to use Group policy to add a security group of users in AD to security group of computers and put them in the local admin group? These machines are spread throughout different OUs and not located in just one OU. The goal is to grant access to a specific group local admin rights to these machines.
how to add any user to the local admin group with group policyHow to use Group Policy Preferences to Secure Local Administrator Groups
"These machines are spread throughout different OUs and not located in just one OU. The goal is to grant access to a specific group local admin rights to these machines"
You can aceive that through security filtering. link that policy at domain level & use security filtering
Security Filtering Using GPMC
http://social.technet.microsoft.com/wiki/contents/articles/security-filtering-using-gpmc.aspx
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Sunday, January 06, 2013 11:59 AM
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Monday, January 21, 2013 2:56 AM
-
Tuesday, January 08, 2013 9:50 AMModerator
Hi,
I agree with others, they have provided the right suggestions to your question. As they mentioned before, we could choose to configure GPP and Restricted Groups settings to grant Local Admin rights for common users. If you choose to use GPP to achieve the target, please refer to the articles i.biswajith provided. If you want to configure it via Restricted Groups, I suggest we could refer to the similar thread below. It may be useful to us.
Using Restricted Groups through Group Policy to set Local Admin rights
Best Regards,
Andy Qi
Andy Qi
TechNet Community Support
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Monday, January 21, 2013 2:56 AM
.png)
