none
LOCAL admin rights for Member Server

    Frage

  • I have a group of 4 member server and 2 Windows Workstations looked after by a Software provider

    I've been asked to setup LOCAL ADMIN rights for a couple groups of users.

    Currently, all the User, Servers and Workstations are in 1 OU

    Ideally, I would like to leave it that way

    At some site we have had to give ALL users LOCAL ADMIN rights via GP Preferences to their PC's
    but this applies to ALL PC's - I this case prefer not to do that!

    Can I put these Servers & Workstations into some sort of "Group" (but not a OU !)

     


    ChrisS



    Montag, 9. Juli 2018 06:05

Antworten

  • Hello,

    Thanks for your post.

    According to my knowledge, we could only create a GPO linked with the OU you have. Then we remove the Authenticated Users from the Security Filtering and add the members you need to the Security Filtering. The location please refer to the following picture.

    But GPO is applied to user accounts and computer objects not workstations.

    Hope above information could help you. If you have anything unclear, please feel free to let me know.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Als Antwort markiert ChrisS - ITR Dienstag, 10. Juli 2018 21:08
    Dienstag, 10. Juli 2018 08:30
    Moderator

Alle Antworten

  • Hello,

    You can do that Group Policy can be applied to security group.

    Best Regards,

    Montag, 9. Juli 2018 16:09
  • emm..

    "Security Groups"

    I there are only 6 Computers but looks like I would need to Group Policy Preference for each Computer ?

    Would be good if its possible to Group Computers together!


    ChrisS

    Montag, 9. Juli 2018 20:27
  • Am 09.07.2018 um 08:05 schrieb ChrisS - ITR:
    > but this applies to ALL PC's - I this case prefer not to do that!
     
    Use Common -> Item Level Targeting - Select Computername
     
     
    --
    Mark Heitbrink
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10
     
    Montag, 9. Juli 2018 20:56
  • You can apply a policy applied to the multiple computers either via OU or Security Group membership... either way you are best to use Group Policy Preferences to apply the local admin groups to the server to ensure that they are added automatically. See my extensive blog post about how to do this at http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ 

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Dienstag, 10. Juli 2018 03:23
  • Hello,

    Thanks for your post.

    According to my knowledge, we could only create a GPO linked with the OU you have. Then we remove the Authenticated Users from the Security Filtering and add the members you need to the Security Filtering. The location please refer to the following picture.

    But GPO is applied to user accounts and computer objects not workstations.

    Hope above information could help you. If you have anything unclear, please feel free to let me know.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Als Antwort markiert ChrisS - ITR Dienstag, 10. Juli 2018 21:08
    Dienstag, 10. Juli 2018 08:30
    Moderator
  • looked at the Blog but <g class="gr_ gr_21 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="21" id="21">its</g> not working for me...



    ChrisS

    Dienstag, 10. Juli 2018 20:49
  • Alan,

    I think I followed you steps in the Blog but NOT working

    This is what I did, I only have 1 OU and all PC's and Server are in there

    Open Group Policy Management
    Goto Domains > MyDomains.com > Create a GPO in this Doamin & Link it here
    Give it a name LocAdmins GPP
    goto GP Objects and Select & Edit
    Select Computer Configuratin > Preferences > Control Pannel Settings > Local Users and Group

    Sept 3 - Actions > New Local Group
    Step 4 - Select Administrators (builtin)
    Step 5 - skip (don't want to delete at this point!
    Step 6 - Add Domain Admins (myDomain\Domain Admins) - also tried %DomainName%\Domain Admins
    Step 7 - Add Builtin\Administrator
    Step 8 - this is a breakdown of 6 ??

    Ok so above 1-8 should apply to ALL computers?

    BUT, not working

    gpupdate
    gpupdate /force - for good measure

    gpresult /R /scope:computers - shows GPO is applied

    Gets a bit confusing with steps here

    Step 9 - add entry for Specific computer

    Added this still not working!

    Yes, ran gpupdate

    any ideas ?


    ChrisS

    Mittwoch, 11. Juli 2018 06:42
  • Ok, I've sorted this...
    For my needs. it was a 1-2-3 moment
    
    (1) Created a Security Group SrvAdmin and added people who need to access
    
    (2) Open Group Policy Management
    Domains > MyDomains.com > Create a GPO in this & Link it here 
    Give it a name LocAdmins GPP
    goto GP Objects and Select & Edit
    Select Computer > Preferences > Control Settings > Local Users and Group
    Actions > New Local Group
    Select Administrators (Builtin)
    skip (don't want to delete at this point!
    Add MyDomain\SrvAdmin
    
    (3) Select Commo Tab > Lick CheckBox Item-Level 
    New Item > Computer Name > Select one of the computers
    if additional machines need to be set - click New Again > Item Options > Select OR then add the additional name 
    
    You may need to run gpupdate
    
    That's it
    
    Thanks for the help
    
    ChrisS

    Mittwoch, 11. Juli 2018 11:57
  • Hi,

     

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

     

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Donnerstag, 12. Juli 2018 01:58
    Moderator