How to add a *local* group to local Administrators via group policy

-

scenario:

  • i manage set of computers in ou within organization's ad.
  • i not have control of gpo's @ top of ou hierarchy nor want break inheritance of gpo's.
  • my organization has top-level gpo clears out local administrators group , adds specific set of domain users , groups.

problem:

  • i want able make some users administrators of own workstations.
  • i want without having make separate ou each of these users' workstations. list of users small enough don't mind giving them admin rights workstation.

proposed solution:

  • i want make local group on computer called, say, "extralocaladmins" , add that group local administrators group. then, can add individual users each workstation's extralocaladmins group.

where need help:

  • because top-level gpo's clear , repopulate local administrators group on every gpupdate, need way add extralocaladmins group administrators without clearing out domain users/groups have been placed there top-level gpo's (and, of course, without deleting/re-creating extralocaladmins). problem is, i've been unable work. i've tried using restricted groups specify .\extralocaladmins , add "this group member of: administrators", isn't taking effect.

any ideas? there better approach should using?

>   * want make local group on computer called, say,
>     "extralocaladmins" , add /that/ group local
>     administrators group.
 
you cannot. local groups cannot nested.
 
what can do: use gpp "local users , groups". add user directly
to local admins if member of given domain group (item
level targeting).
 
example:
 
johndoe logs on johndoeworkstation. create domain group
"johndoeworkstation-admins", add johndoe group.
 
in gpp local users , groups, add local administrators group ,
add %logonuser% member. enable item level targeting, filter
"security group", "user member of", group name
%computername%-admins (do not use object picker here!).
 
done...
 
greetings/grüße, martin

mal ein gutes buch über gpos lesen?
good or bad gpos? - blog…
, if bothers me - coke bottle design refreshment (-:


Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

2008 Windows Deployment Server Properties Error

-
currently wading through setup , configuration of wds on 2008 server. have captured xp sp2 image , purposes of testing not prestaging. pxe response settings have been set "respond (known & unknown) client computers" leaving "for unknown clients, notify administrator etc" unchecked when ok properties sheet error "server properties error" "the system cannot find file specified" when attempting use command "wdsutil /approve-autoadddevices /requestid:1" in response pending devices within gui "an error occurred while trying execute command. error code: 0x6 error description: access denied" surely if not attempting add workstations domain (no prestaging) there shouldn't problem. any appreciated  answering part of own question although if can explain reason appreciated. server properties error occurs when launching windows deployment services using start>all programs>administrative tools. if access via server manager...
Read more

Domain migration ERR3:7075 Failed to change domain affiliation, hr=8007054a This operation is only allowed for the Primary Domain Controller of the domain

-
dear all hope 1 faced issue , can me solution member server migration. i'm in process of intraforest migration using admt 3.1, have established trust between domains. domain (source domain) have both dc's running on windows 2003 functional level windows 2003 , while in domain b ( target domain )we have both windows 2008 , windows 2003 domain same functional level of windows 2003. have installed exchange 2007 sp2 in domain b. have installed admt in domain b , created necessary service acct used migration purpose , provide them whatever privileges required on both source , target domain. issue user , group migration done, while member server migration failed eventhough migration service account added local admin group of these member servers in source domain need migrated , domain local setting policy network access has been enabled llcsrpc, browser, netlogon ...(named pipes can accessed anonymously.) also have unistall , install microsoft network client services gett...
Read more

How do a find data in one file, search for it in another file and if not found, write a custom message to another file

-
in file if.txt, starting on 2nd line of file, data formatted follows: ah10551,a10551,cn=a10551,a10551@qts.com ah10600,a10600,cn=a10600,a10600@qts.com ah10608,a10608,cn=a10608,a10608@qts.com in file sf.txt, data formatted follows: 2011-02-16 17:26:44 sid acme\ah10551 added sid history of qts\a10551 2011-02-16 17:26:44 sid acme\ah10244 added sid history of qts\a10244 2011-02-16 17:26:45 sid acme\ah10425 added sid history of qts\a10425 please provide suggestions on how following: 1. in if.txt file, read first field first ',' , store in variable called $if1 2. in sf.txt file, search for the value stored in $if1 , if found, ignore.  if not found, write custom message in another file such as: $if1 sidhistory not migrated. these files wont large.  im trying build 'exception file' of items in if.txt file not occurring in sf.txt file. thanks in advance ideas. mtv99 many ways that... here's one... (using example data) [array]$if1=@() gc d:\if.txt...
Read more