Answered by:
LOCAL admin rights for Member Server

-
I have a group of 4 member server and 2 Windows Workstations looked after by a Software provider
I've been asked to setup LOCAL ADMIN rights for a couple groups of users.
Currently, all the User, Servers and Workstations are in 1 OU
Ideally, I would like to leave it that way
At some site we have had to give ALL users LOCAL ADMIN rights via GP Preferences to their PC's
but this applies to ALL PC's - I this case prefer not to do that!
Can I put these Servers & Workstations into some sort of "Group" (but not a OU !)
ChrisS
- Edited by ChrisS - ITR Monday, July 9, 2018 6:50 AM
Question
Answers
-
Hello,
Thanks for your post.
According to my knowledge, we could only create a GPO linked with the OU you have. Then we remove the Authenticated Users from the Security Filtering and add the members you need to the Security Filtering. The location please refer to the following picture.
But GPO is applied to user accounts and computer objects not workstations.
Hope above information could help you. If you have anything unclear, please feel free to let me know.
Best Regards,
Kallen
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Marked as answer by ChrisS - ITR Tuesday, July 10, 2018 9:08 PM
All replies
-
-
-
Am 09.07.2018 um 08:05 schrieb ChrisS - ITR:> but this applies to ALL PC's - I this case prefer not to do that!Use Common -> Item Level Targeting - Select Computername--Mark HeitbrinkHomepage: http://www.gruppenrichtlinien.de - deutschAktuelles: https://www.facebook.com/Gruppenrichtlinien/GET Privacy and DISABLE Telemetry on Windows 10gp-pack PaT - http://www.gp-pack.com/
-
You can apply a policy applied to the multiple computers either via OU or Security Group membership... either way you are best to use Group Policy Preferences to apply the local admin groups to the server to ensure that they are added automatically. See my extensive blog post about how to do this at http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill
-
Hello,
Thanks for your post.
According to my knowledge, we could only create a GPO linked with the OU you have. Then we remove the Authenticated Users from the Security Filtering and add the members you need to the Security Filtering. The location please refer to the following picture.
But GPO is applied to user accounts and computer objects not workstations.
Hope above information could help you. If you have anything unclear, please feel free to let me know.
Best Regards,
Kallen
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Marked as answer by ChrisS - ITR Tuesday, July 10, 2018 9:08 PM
-
-
Alan,
I think I followed you steps in the Blog but NOT working
This is what I did, I only have 1 OU and all PC's and Server are in there
Open Group Policy Management
Goto Domains > MyDomains.com > Create a GPO in this Doamin & Link it here
Give it a name LocAdmins GPP
goto GP Objects and Select & Edit
Select Computer Configuratin > Preferences > Control Pannel Settings > Local Users and Group
Sept 3 - Actions > New Local Group
Step 4 - Select Administrators (builtin)
Step 5 - skip (don't want to delete at this point!
Step 6 - Add Domain Admins (myDomain\Domain Admins) - also tried %DomainName%\Domain Admins
Step 7 - Add Builtin\Administrator
Step 8 - this is a breakdown of 6 ??
Ok so above 1-8 should apply to ALL computers?
BUT, not working
gpupdate
gpupdate /force - for good measure
gpresult /R /scope:computers - shows GPO is applied
Gets a bit confusing with steps here
Step 9 - add entry for Specific computer
Added this still not working!
Yes, ran gpupdate
any ideas ?
ChrisS
-
Ok, I've sorted this...
For my needs. it was a 1-2-3 moment (1) Created a Security Group SrvAdmin and added people who need to access (2) Open Group Policy Management Domains > MyDomains.com > Create a GPO in this & Link it here Give it a name LocAdmins GPP goto GP Objects and Select & Edit Select Computer > Preferences > Control Settings > Local Users and Group Actions > New Local Group Select Administrators (Builtin) skip (don't want to delete at this point! Add MyDomain\SrvAdmin (3) Select Commo Tab > Lick CheckBox Item-Level New Item > Computer Name > Select one of the computers if additional machines need to be set - click New Again > Item Options > Select OR then add the additional name You may need to run gpupdate That's it Thanks for the help ChrisS
- Edited by ChrisS - ITR Wednesday, July 11, 2018 12:04 PM
-
Hi,
I am glad to hear that your issue was successfully resolved.
If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
Kallen
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.