none
PC Local Administrators

    Question

  • I have created a domain security group called DL_PC_Local_Admins. In tis group I have added some support users who need admin privieges on local computers to enable them support users. I have then added the group as a member of the Local Administrators group using restricted Groups GPO. However, when members of this group log to local PCs they have cannot do any support work. They do not have requisite privileges to do this. What could be the problem?
    Monday, May 09, 2016 4:57 PM

Answers

  • True, the group is part of the administrators group. But I have found where the mistake was. I had linked the GPO to the wrong OU. Thanks a lot.
    • Marked as answer by Kanderendu Wednesday, May 11, 2016 3:51 PM
    Wednesday, May 11, 2016 3:51 PM

All replies

  • Hi,

    is policy getting applied ? what GPresult shows ?

    refer here for steps : https://social.technet.microsoft.com/Forums/windowsserver/en-US/64d9a801-5281-487c-8d14-1b092c0dffcf/group-policy-restricted-groups-how-to-specify-a-local-user-as-member-of-the-administrators?forum=winserverGP

    open your local administrators group in machine and see if the restricted group got added.

    Note: Once GP restricted groups policy applied to machine, all its existing members will be overridden.


    Devaraj G | Technical solution architect

    Monday, May 09, 2016 5:36 PM
  • Thanks Devaraj. The policy is being applied since the group has been added to the Administrators group of every PC. However, the members of this group that has been added to the local administrators group do not have administrative privileges to these PCs.

    Here are the GPResult /r



    USER SETTINGS
    --------------
        CN=JAMES KANYI,OU=ICT,OU=Permanent,OU=XXX Users,DC=XXX,DC=test
        Last time Group Policy was applied: 5/10/2016 at 10:38:33 AM
        Group Policy was applied from:      DC-Test.XXX.test
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        XXXTest
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Deny privileged Access to PCs

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            GG_ICT_Support
            DL_Local_PC_Admins
            High Mandatory Level

    Tuesday, May 10, 2016 8:02 AM
  • Hi,

    Thanks for your post.

    I suggest you check if the group is member of local administrators group on clients.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, May 10, 2016 1:40 PM
    Moderator
  • > this group that has been added to the local administrators group do not
    > have administrative privileges to these PCs.
     
    What is the evidence for them to not having admin privs?
     
    >      The user is a part of the following security groups
    >          BUILTIN\Administrators
     
    I've seen unexpected results in this report, but to me the user in fact
    IS a local administrator.
     
    Tuesday, May 10, 2016 4:06 PM
  • Strange! if object is part of Buit-in Administrators group, then that account should have complete access on the system.

    How are you confirming that user doesn't have admin access despite being in the buitin group ?

    What actions have you tried?


    Devaraj G | Technical solution architect

    Tuesday, May 10, 2016 4:09 PM
  • Hi Jay,

    Yeah, the group is a member of the local Administrators group on the clients. But the members of this group do not have adminisrative privileges on these clients. This is how I have implemented this:

    I have created a global group in the Active Directory called GG_ICT_Support. One of the members in this group is james. The group is then added as member to a domain local group called DL_Local_PC_Admins.

    The DL_Local_PC_Admins is then added to be a member of the Local Administrators group on all the client PCs using GPO, which I have checked that it is in deed a member.

    When james logs on the client names test1 which is in this domain, he does not have administrative privileges on this client.

    Is there another way of doing this? I need to appoint some ICT users to manage the PCs (Software installation, network settings etc)

    Wednesday, May 11, 2016 2:05 PM
  • I am loging in as this user and I attempt installing software, changing changing computer name etc. It tells me that "this operation has been cancelled due to restrictions in effect on this computer"
    Wednesday, May 11, 2016 2:09 PM
  • > changing computer name etc. It tells me that "this operation has been
    > cancelled due to restrictions in effect on this computer"
     
    This is not a valid indication for not being an administrator :-) Open a
    command prompt, run "whoami /groups" to verify.
     
    • Marked as answer by Kanderendu Wednesday, May 11, 2016 3:50 PM
    • Unmarked as answer by Kanderendu Wednesday, May 11, 2016 3:50 PM
    Wednesday, May 11, 2016 2:29 PM
  • True, the group is part of the administrators group. But I have found where the mistake was. I had linked the GPO to the wrong OU. Thanks a lot.
    • Marked as answer by Kanderendu Wednesday, May 11, 2016 3:51 PM
    Wednesday, May 11, 2016 3:51 PM