locked
Using Group Policy to add Domain groups to local Administrators group. RRS feed

  • Question

  • hi,

    I am looking for the best way to accomplish this. here is the setup. (All Windows 2008 sp2 servers)

    1. i have a OU called Servers (all servers reside on this OU)
    2. within this OU ther are 3 sub OUs called presales Servers, application Servers, DBservers
    3. I have 4 domain groups productsupport, presales, ITsupport, DBA

    here is what i am trying to accomplish
    1. productsupport and ITsupport groups need to be a member of the local Administrators group on all server in the Servers OU.
    2. presales group only needs to be a member of local Administrators group for the servers located in "presales servers" OU
    3. DBA group only needs to be a member of local administrators group for the servers located in "Dbservers" OU.

    But I aslo want to make sure domain admins are always members of the local Administrators group on all member servers. In addition to these 5 groups (domain admin, productsupport, itsupport, DBA, presales) I will also be adding group directly to the local "adminstrators" group manually in the OU mentiond earlier "application servers". so we need to make sure that this manuallyadded group does not get removed by the GPOs that apply to the top level OU ie: Servers.

    Hopefully I was able to explain this. Please let me know if you have questions.

    thanks

     

     

     

     

    Wednesday, August 11, 2010 5:08 PM

Answers

  • Look to this video, it is about restricted groups in windows 2008 (I am unable to open it because youtube is blocked in my country):

    http://www.youtube.com/watch?v=G7ROD2pgXd4

    This should solve your problem.

    Best regards.

    • Marked as answer by cbcbcbcb Wednesday, August 18, 2010 3:03 PM
    Wednesday, August 11, 2010 5:12 PM

All replies

  • Look to this video, it is about restricted groups in windows 2008 (I am unable to open it because youtube is blocked in my country):

    http://www.youtube.com/watch?v=G7ROD2pgXd4

    This should solve your problem.

    Best regards.

    • Marked as answer by cbcbcbcb Wednesday, August 18, 2010 3:03 PM
    Wednesday, August 11, 2010 5:12 PM
  • you can use GPO group policy preferences. create a gpo for each OU and define the setting giving what ever group or security principal local administrator group membership.

    http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/

    don't use restricted groups


    I hope this information answered your question or was helpful.
    Wednesday, August 11, 2010 5:16 PM
  • Yes I don't want to use Restricted Groups but the method you posted here seems very confusing or maybe it is badly worded. I don't think I can accomplish what I need to do with the preferences. (over there it seems like I have to create additional security groups) i do not want to create any more groups.

    Or maybe I am not understanding the steps correctly.

    thanks

     

    Wednesday, August 11, 2010 7:29 PM
  • No, you should not create new groups. It is just that with restricted group policy you can define which domain groups are members of local groups via a GPO. The video and the link explain how to do a such thing. Just try to do the configuration and your problem will be solved. It appears to be difficult to do but it is not.
    Wednesday, August 11, 2010 7:32 PM
  • If you don't want to use restricted groups, you should go to each client computer and do this manually.

    Best regards.

    Wednesday, August 11, 2010 7:34 PM
  • i'll google a better link for gpp (or you can www.google.com). i misread earlier and now i see you already have groups created. sorry for my misunderstanding. going to each computer and manually editing the local admin group is rediculous unless you only have a few. standby please for a link to a better article. furthermore, i would advise testing the gpo (gpp settings) before going to production
    I hope this information answered your question or was helpful.
    • Edited by Roy Mayo Wednesday, August 11, 2010 8:03 PM
    Wednesday, August 11, 2010 7:48 PM
  • http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

    this is fairly comprehensive. Cheers


    I hope this information answered your question or was helpful.
    Wednesday, August 11, 2010 7:55 PM
  • @Roy
    I tried using the first article you sent and that does not work. in that article #5 it is asking me to create a group %computername%-admin are they only using that as an example or do I need to actually name my groups as %computername%-admin and then add them to the administrators (built in). can you confirm this.

    I am going through the next artice you sent now. thanks for all the help and time you are putting into this.

    Wednesday, August 11, 2010 8:12 PM
  • you are certainly welcome and i hope my suggestions are of some use. i'm new to helping people in forums and sometimes fail to provide enough detail. I'm working on it. 
    I hope this information answered your question or was helpful.
    Wednesday, August 11, 2010 8:23 PM
  • Don't forget to write gpupdate /force on CMD on the server so that you force your GPO to be applied. (It is recommanded to use a such command on the client computers).

    Best regards.

    Wednesday, August 11, 2010 9:23 PM
  • CDCDCDCD

    Hi... I am the author of that article...

    When configuring the group policy you use the "%comptuername% admin" the %comptuername% is a variable and will get translates when you apply it to the computer... In the domain you will to manually create the group "PC01 Admin", "PC02 Admin" etc... if you comptuer name is actually called PC01 and PC02. At no time will you create a group in AD called "%computername% Admin"...

    Hope this helps

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    • Proposed as answer by Alan Burchill Wednesday, August 11, 2010 10:32 PM
    Wednesday, August 11, 2010 10:32 PM
  • @MSHelper: Thanks, sorry I did not go through the video and some articles on restricted groups earlier, but after reading articles and looking at this vedio everything was so clear. I used restrcited groups to accomplish this and I think restricted group works perfect for what I need.

    Also tested this on my test machines. works perfect. took about 10 minutes to configure the way I needed it. The secret is using the "This group is a member of" and not "members of this group" option. 

    restricted groups is the way to go.

    Everyone: Thanks a lot for the help and spending you time looking into this for me.

     

     

    Thursday, August 12, 2010 7:14 PM
  • You are always welcome.

    Please mark as a response and helpful the replies that helped you to solve your problem.

    Best regards.

    Thursday, August 12, 2010 7:51 PM