none
adding a local user or group via group policy

    Question

  • Hi,

    I wanted to create a local user or group in our domain so that if ever our Level 1 support needs access to the pc for (installations, change of IP address, etc) they can access it locally. We can set it up manually but for an office with 200 pc, it will waste a lot of our time. I thought of running it via Group Policy. How do I do it?

    Checked some articles regarding this but none of them seems to work. Thanks

    Regards,

    Jeff

    Thursday, March 08, 2012 5:39 AM

Answers

  • Hi Jeff,

    You can easily create the local user accounts with the group policy preferences.

    http://blog.korteksolutions.com/how-to-create-local-accounts-via-group-policy/

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


    If you have 2003 you can use a script to create accounts.

    http://www.computerperformance.co.uk/ezine/ezine112.htm


    To use the Group Policy Preferences on 2003, you can follow (for example) the steps of the following link

    http://blogs.technet.com/b/danstolts/archive/2009/01/21/installing-and-managing-group-policy-preferences-on-a-windows-server-2003-domain.aspx



    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Thursday, March 08, 2012 6:31 AM
  • Hi Jeff,

    In addition to Rafic's comments above, you can still achieve this with group policy if you don't want to use group policy preferences for some reason. The branch within the group policy object you'd be looking to use is under:

    • Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

    There's two ways you can use the rules in here:

    • To add a domain user/group to a local computer group without removing existing members;
    • To enforce a particular set of domain users/groups as members of a local computer group.

    Most people look to use the first option as it just adds new members to a local group - which is what you described. To do this:

    • Right-click on the Restricted Groups node and choose Add Group
    • Click the Browse button and choose the domain user or group you want to add -> OK button
    • The properties window is now split into two halves: top and bottom. Click on the lower Add button (in the This group is a member of section)
    • Click the Browse button and then in the next dialog, click the Locations button and change to your local computer -> OK button
    • Type in the name of the local group you want to add the initial group/user to -> OK button -> OK button -> OK button

    This will take you back out to the policy editor which you can close once you've sorted out all the group membership rules.

    This option is available across all versions of Windows later than and including Windows 2000.

    Cheers,
    Lain

    Thursday, March 08, 2012 11:55 AM
  • Hi,

    Thanks for your posting.

    What’s your clients OS version, Group Policy preference need at least XP SP2 OS and need Client Side Extensions (CSE) installed.
    System requirements and installation steps
    http://technet.microsoft.com/en-us/library/cc731892(v=WS.10).aspx

    Please use group policy management console to generate a Group Policy result for one of your client, to check the GPO apply status, and check group policy preference apply status at “Settings” tab, and any error code?

    For more information please refer to following MS articles:

    Troubleshooting Group Policy Problems
    http://technet.microsoft.com/en-us/library/cc787386(v=WS.10).aspx
    Fixing Group Policy problems by using log files
    http://technet.microsoft.com/en-us/library/cc775423(v=WS.10).aspx


    Lawrence

    TechNet Community Support

    Tuesday, March 13, 2012 8:32 AM

All replies

  • Hi Jeff,

    You can easily create the local user accounts with the group policy preferences.

    http://blog.korteksolutions.com/how-to-create-local-accounts-via-group-policy/

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


    If you have 2003 you can use a script to create accounts.

    http://www.computerperformance.co.uk/ezine/ezine112.htm


    To use the Group Policy Preferences on 2003, you can follow (for example) the steps of the following link

    http://blogs.technet.com/b/danstolts/archive/2009/01/21/installing-and-managing-group-policy-preferences-on-a-windows-server-2003-domain.aspx



    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Thursday, March 08, 2012 6:31 AM
  • Hi Jeff,

    In addition to Rafic's comments above, you can still achieve this with group policy if you don't want to use group policy preferences for some reason. The branch within the group policy object you'd be looking to use is under:

    • Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

    There's two ways you can use the rules in here:

    • To add a domain user/group to a local computer group without removing existing members;
    • To enforce a particular set of domain users/groups as members of a local computer group.

    Most people look to use the first option as it just adds new members to a local group - which is what you described. To do this:

    • Right-click on the Restricted Groups node and choose Add Group
    • Click the Browse button and choose the domain user or group you want to add -> OK button
    • The properties window is now split into two halves: top and bottom. Click on the lower Add button (in the This group is a member of section)
    • Click the Browse button and then in the next dialog, click the Locations button and change to your local computer -> OK button
    • Type in the name of the local group you want to add the initial group/user to -> OK button -> OK button -> OK button

    This will take you back out to the policy editor which you can close once you've sorted out all the group membership rules.

    This option is available across all versions of Windows later than and including Windows 2000.

    Cheers,
    Lain

    Thursday, March 08, 2012 11:55 AM
  • Hi,

    Tried doing both of Lain and Rafic but it's kind of weird that it doesn't take effect. I'm not sure if I'm doing wrong or something is missing in my steps. Will try it again and will let you know guys. Thanks for the replies.

    Jeff

    Tuesday, March 13, 2012 12:59 AM
  • Jeff,

    Via Group Policy ,You can use a startup Script (xyz.bat) that will contain "NET LOCALGROUP <group name> /ADD <user name>"

    This  script will help you to add users to group on multiple machines.

    Hope this helps.


    MCSE Certified


    • Edited by IamBharat Tuesday, March 13, 2012 2:48 AM
    Tuesday, March 13, 2012 2:43 AM
  • Hi,

    Thanks for your posting.

    What’s your clients OS version, Group Policy preference need at least XP SP2 OS and need Client Side Extensions (CSE) installed.
    System requirements and installation steps
    http://technet.microsoft.com/en-us/library/cc731892(v=WS.10).aspx

    Please use group policy management console to generate a Group Policy result for one of your client, to check the GPO apply status, and check group policy preference apply status at “Settings” tab, and any error code?

    For more information please refer to following MS articles:

    Troubleshooting Group Policy Problems
    http://technet.microsoft.com/en-us/library/cc787386(v=WS.10).aspx
    Fixing Group Policy problems by using log files
    http://technet.microsoft.com/en-us/library/cc775423(v=WS.10).aspx


    Lawrence

    TechNet Community Support

    Tuesday, March 13, 2012 8:32 AM
  • Hi,

    I was able to apply via group policy but it only works with Windows 7 not on XP. Any ideas?

    Jeff

    Monday, March 26, 2012 2:00 AM
  • Hi Jeff,

    Which approach did you use? If it was the approach I listed above, that is compatible with XP out of the box. If you used Group Policy Preferences, then that isn't available out of the box - you need to install the GPP extensions for this to work on XP.

    The script approach will also work with XP out of the box, though it's a bit redundant writing a script when a built-in policy mechanic already exists.

    If you can let us know which approach you used, we can better assist you with the troubleshooting side of things.

    Cheers,
    Lain

    Monday, March 26, 2012 2:10 AM
  • Hi,

    Tried using Group Policy preferences, created a policy and linked to the proper OU. When you say GPP Extension? Is this something like an add on?

    Thanks

    Jeff

    Monday, March 26, 2012 5:18 AM
  • Hi Jeff,

    Yes, policy preferences did not exist in the era of Windows XP and Vista RTM, so you have to download and install them (or deploy them via group policy, SCCM, etc).

    If you intend to use policy preferences, you will need to distribute the above to your clients before you can do so.

    It's also worth noting there are a number of hotfix rollups that update the initial GPP client side extension download for each of the above, so be sure to search for those on support.microsoft.com.

    Cheers,
    Lain

    Monday, March 26, 2012 5:27 AM
  • noted and thanks for the info guys. I already did it. After installing the extension, reboot pc, and it worked.

    Thanks for the input guys. I'm off to my next project which is a complicated one regarding Exchange 2007. I know this is more on Windows Server inputs but I would like to grab this opportunity to relay my problems with Exchange 2007.

    To shorten my time in typing, I'm going to copy and paste from the other forum I created,

    Hi,

    Just want to ask the experts regarding our project. The company has an existing email server and it is located on a vmware ESX server.

    It's computer name is MARS. So our email server is: MARS.CIBI.LOCAL, operating system is: Windows Server 2003 x64, Exchange Version is: Exchange 2007 Enterprise.

    BTW, FYI for all readers, just like in my previous posts. They have 3 roles. MARS which is the mailbox, Venus which is the Edge Transport, and Neptune which is the Hub Transport

    The company decided to setup/move/transfer their email server on a dedicated machine. They purchased a new IBM server for this. Technically they would like the 3 roles to be in one machine or they would like to migrate it to the new IBM server.

    Our problem is they have a SSL/TLS certificate that was registered with Neptune which is the Hub Transport. Our worries is that we might be able to move the database to the new machine but the certificate might only be able to recognize ONLY Neptune. We're planning to name the new server as on-v-mail01.

    As of the time being as far as I know our first step is to backup the database. How do we do this?

    Thanks in advance

    Jeff

    Monday, March 26, 2012 5:53 AM
  • Hi Jeff,

    As this is the Windows Server Group Policy forum, this latest post isn't going to get much traction here. Better off sticking with something like the Exchange Deploy forum, which can be found here.

    To put you on the right track though, the role you're actually interested in the placement of is the CAS role. If you keep that on Neptune then you won't have any certificate issues.

    As for the mailboxes, you can handle that a number of different ways. Here's two:

    1. Build a new Exchange server on the new IBM hardware, make sure it has the Mailbox Server role installed and then use New-Moverequest to move the mailboxes. This is a slower method than some of the others, but it allows Exchange to remain online which could be perceived as a big benefit by the business.
    2. A mixture of Powershell commandlets and file system level copying as illustrated here. It's faster, but your users of the particular database being moved are offline during the process.

    Again, this isn't the right forum so I won't go into any further depth here. If you've already asked in the Exchange forums, then that is the right place to pursue more information.

    Cheers,
    Lain

    Monday, March 26, 2012 6:08 AM
  • Hi Lain,

    Thanks for the inputs, I'll try to browse over the Exchange forum but I'll also try the methods you've mentioned.

    Thanks and have a great day ahead!

    Jeff

    Tuesday, March 27, 2012 9:50 AM