locked
AD Question, Group as Administrator RRS feed

  • Question

  • In our Group Policy we add a specific user group as administrator on a machine.

    The group policy is verified to be working by going to the computer manager and checking the local groups, and the group that we want to be added to the administrators group is there. So this is not a problem with our group policy.

    My problem is that the User logs into the computer, and does not have administrator access. Yes this person is a part of the group that is applied as an Administrator (built in).

    I have tried a lot of things such as added the users to just Administrator, what I notice happens when I add the group to Administrator is that they magically get Administrator access, and everything works great. But I would have to do this for every single user that needs access to their computer, which is just not feasible.

    These users have not ever logged onto these machines before, and we use Windows Enabler to copy our profile to the default profile. And yes we did give this profile access to "Everyone".

    Here is another question that I would like answered as well. What is the difference between Administrator and Administrator (Built-In). Are their any permission differences?

    Thank you in advance,

    -Derek

    Tuesday, March 13, 2012 2:39 AM

Answers

  • How exactly did you provide this in a GPO? Do you have a link or a step by step you followed? Did you use the GPO Restricted Groups feature? Here's is some info on Restricted Groups. Is this how you created the GPO?

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13 

    .

    As for your questions regarding differences in accounts and groups:

    Builtin\Local Administrators Group: This is a DLG (Domain Local Group) - Grants administrative access to domain controllers and AD within a domain. Limited scope and visibility that d local domain resources.

    Domain Administrators Group - Domain Global Group -  This has a wider administration scope and visibility, because by default, it's added to the Built-In Local Administrators Group ter. Membership in Domain Admins is also required to perform certain types of privileged operations, such as dcpromo, adprep, etc.

    Local Administrator Group - This is the administrative group on a local machine that exists in the local SAM database (not in AD) that has full control and privledges to the local machine. The Local Administrator account is part of this group. WHen joining to the domain, the Domain Administrators Groups is automatically added to this group, so any account that was added to the Domain Administrators Group, will have full control.

    You can create a restricted groups policy to add a specific user group from AD to the local administrators group on each machine, providing those accounts with full control on the local machine. Please see the restricted groups link above for more info.

    .

    Here's more info on groups:

    Using Group Nesting Strategy - AD Best Practices for Group Strategy
    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx 

    .

    Ace

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 13, 2012 3:38 AM
  • You can do one thing, if there is anything wrong with profile coruption.

    Logon as that user and come to computer -> usres -> % username% delete the profile folder.

    logoff and logon back.

    make sure that you have back his documents and certificate before you delete the local profile.


    Kamal Sharma

    Tuesday, March 13, 2012 4:48 AM
  • Sansdesh,

    Actually you are correct that it will wipe out all current entries in the local groups, if it's done the wrong way, such as if you inadvertently selected "Add" to the "Members of this group” (in the upper box). We need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.

    That's the trick to this.

    For example, please review the steps and my notes below to insure that you add the group you want, without deleting or changing any current entries.

    .

    1. In AD, create an OU, or just identify what OU you want to use that all computers are in that you want to add a Help Desk group to the local administrators group.
    2. In AD, create a group and call it Help Desk Group
    3. Create a GPO.
    4. Right click the GPO, choose Edit.
    5. Drill down expanding Computer Configuration, Policies, Windows Settings,  Security Settings. You should see "Restricted Groups" node under Security Settings.
    6. Right Click Restricted Groups, choose Add Group.
    7. Type in "Administrators" (plural and without the quotes)
    8. Click on OK
    9. In the next Window that comes up, on the bottom portion (no the top), click Add, and type in or browse for the Help Desk Group you created in the second step above.

    .

    Note:
    We don't want to add users or other groups in the group we just added, rather we want to add this group to the local Administrators group on our client machines, with the steps outlined above using the bottom portion.

    Now to take this further, if we were to inadvertently select "Add" to the "Members of this group” in the upper portion of the box, (such as erroneously selecting the upper box in the next steps), it would be a wipe/replace action. That's good to wipe out anything else in the groups on all machines, such as if all users at one time or other had access to their local machines and left it a mess. I don't usually see this too often. Plus, if you were to unlink this GPO when you no longer want it, such as when it becomes out of scope of what you need, then what happens, it will essentially wipe and leave the local administrators group empty on all machines, which will of course cause dire consequences. Therefore, we will configure it to add to the current list of members on the Local Administrators group on all machines without touching the current list of members by using the following steps.

    .

    1. Click on Add next to “This group is member of” (the bottom portion of the Windows).
    2. Type in Administrators.
    3. Click on Apply.
    4. Click on Ok to close the window.
    5. Close the GPO Edit console.

    .

    This results in adding our Help Desk Group into the "Local Administrators” group of all machines that are in the OU this GPO is linked to. If there are any other existing members in the Local Administrators group, they won't be touched - it simply adds our group.

    .

    1. Link the GPO to the OU you created above.
    2. Move a test computer to the OU.
    3. Add a test user to the Help Desk Group.
    4. Logon as a Domain Administrator on the test machine.
    5. Run gpupdate /force (to force a GPO refresh).
    6. Log the Domain Administrator off.
    7. Logon as the Test user account.
    8. In the workstation's Computer Management console, look at the Local Administrators Groups. You should see Domain\Help Desk Group as a member. Notice that the group is grayed out, meaning that the policy is controlling it and it can't be manually removed.  they will show up as grayed out, meaning the policy is working.
    9. Also notice that you can other objects to the group.
    10. You're done!

    .

    For anyone interested, here are two good links that explain it:

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13 

    .

    Ace

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Sandesh Dubey Wednesday, March 14, 2012 12:07 AM
    • Marked as answer by Elytis Cheng Thursday, April 5, 2012 9:35 AM
    Tuesday, March 13, 2012 11:58 PM

All replies

  • How exactly did you provide this in a GPO? Do you have a link or a step by step you followed? Did you use the GPO Restricted Groups feature? Here's is some info on Restricted Groups. Is this how you created the GPO?

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13 

    .

    As for your questions regarding differences in accounts and groups:

    Builtin\Local Administrators Group: This is a DLG (Domain Local Group) - Grants administrative access to domain controllers and AD within a domain. Limited scope and visibility that d local domain resources.

    Domain Administrators Group - Domain Global Group -  This has a wider administration scope and visibility, because by default, it's added to the Built-In Local Administrators Group ter. Membership in Domain Admins is also required to perform certain types of privileged operations, such as dcpromo, adprep, etc.

    Local Administrator Group - This is the administrative group on a local machine that exists in the local SAM database (not in AD) that has full control and privledges to the local machine. The Local Administrator account is part of this group. WHen joining to the domain, the Domain Administrators Groups is automatically added to this group, so any account that was added to the Domain Administrators Group, will have full control.

    You can create a restricted groups policy to add a specific user group from AD to the local administrators group on each machine, providing those accounts with full control on the local machine. Please see the restricted groups link above for more info.

    .

    Here's more info on groups:

    Using Group Nesting Strategy - AD Best Practices for Group Strategy
    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx 

    .

    Ace

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 13, 2012 3:38 AM
  • Here is another question that I would like answered as well. What is the difference between Administrator and Administrator (Built-In). Are their any permission differences?

    The Administrator is the default account created during installation of the OS and it has not restriction to add/install/modify to the local system.

    The local Administrators group is the default group and has full control over the local system. By default administrator is the member of the local administrators group. When you add an individual or groups to the local administrators group, you ultimately assign them full permission to take control of the system either modify,add,install or remove.

    Regarding the issue you are facing it can be due to profile corruption or UAC might be blocking else there is no reason if you add individual user in the local admin group will not give him privilege. Also, once you add or remove the member in the administrators group you need to log off and relogin.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, March 13, 2012 3:44 AM
  • The issue I am facing is that, so you say it could be profile corruption. What would be the best fix? 

    I have tried Windows Enabler again, but to not much avail. 

    And to answer Ace's answer. I am assigning it through Computer Configuration -> Control Panel -> Local Groups. And adding them to the Administrators(built-in) group.

    Also thank you guys for the answers.

    Tuesday, March 13, 2012 4:07 AM
  • You can do one thing, if there is anything wrong with profile coruption.

    Logon as that user and come to computer -> usres -> % username% delete the profile folder.

    logoff and logon back.

    make sure that you have back his documents and certificate before you delete the local profile.


    Kamal Sharma

    Tuesday, March 13, 2012 4:48 AM
  • You can refer below article for the profile corruption.

    http://support.microsoft.com/kb/811151

    http://support.microsoft.com/kb/318011


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by vt-serz Tuesday, December 13, 2016 2:24 AM
    Tuesday, March 13, 2012 8:42 AM
  • Just a thought - I don't know what Windows Enabler is, nor have I ever used it, but after a quick search, it appears to be freeware offered at various sites.

    I'm sometimes leary of certain tools, and would rather stick to what I know works, and frankly, which tools are supported by Microsoft, such as WET (Windows Easy Transfer), and for larger scale scenarios, USMT (User State Migration Tool), bot free from Microsoft. I've used both for years without problems.

    .

    You can run WET or USMT on it, then delete the profile, recreate it, then run WET or USMT to pull settings and files back over. Give it a shot.

    WET - Scroll down to bottom for other versions depending on source OS and target OS:
    http://www.microsoft.com/download/en/details.aspx?id=7349 

    Download USMT 4 
    http://www.wintools.com.au/download_usmt4.php 

    Information about the User State Migration Tool (USMT) 4.0 update
    http://support.microsoft.com/kb/2023591 


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 13, 2012 11:34 AM
  • So today I was messing around with everything, and I finally got everything working by setting one of the groups to be in the Administrators group on the machine. Not the BUILT-IN Administrators group. This all of the sudden made everything work fine?

    To give you a better look at what is happening, there is 2 GPOS that act on this set of computers that sets anything to do with User Groups on the local machine.

    One gives our IT team administrator rights on all of our computers, lets call this group (IT-Admins)

    The other gives our staff administrator rights on the machine (Staff). This group has all of our staff as well as the IT-Admins group listen within it.

    So when the policys all got through the the machine, IT-Admins and Staff were added to the Administrators(Built-In) group. But why when I switched staff to the Administrators group (Not the built-in group). Everything works fine? So Obviously my profile was not corrupted, I NEED to understand why this is an issue. Please help.

    I do appreciate all of the responses I've been getting thank you.


    • Edited by D-rek Tuesday, March 13, 2012 5:13 PM
    Tuesday, March 13, 2012 5:10 PM
  • So that tells us you chose the wrong "administrators" group. Glad to hear you got that working.

    It's not an issue, you just chose the wrong group. The "built-in" is the domain Administrators group, not the local machine. You needed to choose the local administrators group on the machine.

    Have you looked at the Groups Strategy and Restricted Groups links, as well as what everyone posted to help understand the differences between the type of groups, where they exist, and the differences between them, and how to use Restricted Groups settings?


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 13, 2012 7:29 PM
  • Just for your info using the restricted group policy you will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.

    I personally would not recommend using restricted groups to do this- restricted groups is a very powerful tool and simple mistakes can mean big headaches. You don't need to get any more complex than necessary.

    Instead, there is a much easier way to add group or user:
    Set a startup script in group policy with the following line:
    NET localgroup Administrators /add "domain_name\domain_group
    That's it....the next time the computers are started, the group will be added to the local admin group.

    Instead of group you can mention userid as below
    NET localgroup Administrators /add "domain_name\domain_Userid"

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 13, 2012 11:10 PM
  • Sansdesh,

    Actually you are correct that it will wipe out all current entries in the local groups, if it's done the wrong way, such as if you inadvertently selected "Add" to the "Members of this group” (in the upper box). We need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.

    That's the trick to this.

    For example, please review the steps and my notes below to insure that you add the group you want, without deleting or changing any current entries.

    .

    1. In AD, create an OU, or just identify what OU you want to use that all computers are in that you want to add a Help Desk group to the local administrators group.
    2. In AD, create a group and call it Help Desk Group
    3. Create a GPO.
    4. Right click the GPO, choose Edit.
    5. Drill down expanding Computer Configuration, Policies, Windows Settings,  Security Settings. You should see "Restricted Groups" node under Security Settings.
    6. Right Click Restricted Groups, choose Add Group.
    7. Type in "Administrators" (plural and without the quotes)
    8. Click on OK
    9. In the next Window that comes up, on the bottom portion (no the top), click Add, and type in or browse for the Help Desk Group you created in the second step above.

    .

    Note:
    We don't want to add users or other groups in the group we just added, rather we want to add this group to the local Administrators group on our client machines, with the steps outlined above using the bottom portion.

    Now to take this further, if we were to inadvertently select "Add" to the "Members of this group” in the upper portion of the box, (such as erroneously selecting the upper box in the next steps), it would be a wipe/replace action. That's good to wipe out anything else in the groups on all machines, such as if all users at one time or other had access to their local machines and left it a mess. I don't usually see this too often. Plus, if you were to unlink this GPO when you no longer want it, such as when it becomes out of scope of what you need, then what happens, it will essentially wipe and leave the local administrators group empty on all machines, which will of course cause dire consequences. Therefore, we will configure it to add to the current list of members on the Local Administrators group on all machines without touching the current list of members by using the following steps.

    .

    1. Click on Add next to “This group is member of” (the bottom portion of the Windows).
    2. Type in Administrators.
    3. Click on Apply.
    4. Click on Ok to close the window.
    5. Close the GPO Edit console.

    .

    This results in adding our Help Desk Group into the "Local Administrators” group of all machines that are in the OU this GPO is linked to. If there are any other existing members in the Local Administrators group, they won't be touched - it simply adds our group.

    .

    1. Link the GPO to the OU you created above.
    2. Move a test computer to the OU.
    3. Add a test user to the Help Desk Group.
    4. Logon as a Domain Administrator on the test machine.
    5. Run gpupdate /force (to force a GPO refresh).
    6. Log the Domain Administrator off.
    7. Logon as the Test user account.
    8. In the workstation's Computer Management console, look at the Local Administrators Groups. You should see Domain\Help Desk Group as a member. Notice that the group is grayed out, meaning that the policy is controlling it and it can't be manually removed.  they will show up as grayed out, meaning the policy is working.
    9. Also notice that you can other objects to the group.
    10. You're done!

    .

    For anyone interested, here are two good links that explain it:

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13 

    .

    Ace

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Sandesh Dubey Wednesday, March 14, 2012 12:07 AM
    • Marked as answer by Elytis Cheng Thursday, April 5, 2012 9:35 AM
    Tuesday, March 13, 2012 11:58 PM
  • Good point Ace,

    I was aware of the same but not sure,thanks for clearing the doubt.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Wednesday, March 14, 2012 12:08 AM
  • Adding domain user or IT admins to local administrator is safe and its more easy to do it using group policy preferences in windows 2008.Alan has good write up below. Even domain administrator are the default member of the local administrator for the domain joined machine and it will be there until it is been removed.

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, March 14, 2012 9:41 AM