Professional Documents
Culture Documents
Are you an IT Pro? Creating your account only takes a few minutes.
CDW
Eric M.
Social@Ogilvy
THIS GROUP SPONSORED BY CDW
In the Community
In this Discussion
Spiciness
Anaheim
I have to grant certain domain users administrative rights on their own PC where they do
development work.
When I login as administrator on the domain client PC, I goto Control Panel-->Administrative
Tools-->Computer Management.
To give user1 local admin rights, I add the domain user to the Administrators group on the PC,
by typing "COMP_A\user1". It then asks for the domain administrator's password , which I
enter. This is accepted.
When user1 logs in to the domain on that PC with local admin rights, user1 seems to have the
ability to add everybody to the local PC administrators group without asking for the domain
administrator's authentication. Have I done anything incorrectly?
Reply Subscribe
Share
10 Replies
Cayenne
No, the local PC administrator can control basically everything regarding that computer.
Spice · Reply
Thai Pepper
You could use Group Policy Preferences here to control what user accounts are added to the
local administrators group.
It would automatically add that user and whatever other users/group you want as well as remove
all others in case a use does add a unauthorized account.
Spice · Reply
Habanero
Brian2327 wrote:
You could use Group Policy Preferences here to control what user accounts are added to the
local administrators group.
It would automatically add that user and whatever other users/group you want as well as remove
all others in case a use does add a unauthorized account.
+1
Personally, I wouldn't give them Admin rights. Users always abuse privileges.
Spice · Reply
Anaheim
Hi Brian,
Unfortunately, that's what I also figured. Anyway, how could I restrict the users by using GPO?
Spice · Reply
Thai Pepper
Raj, Use can use a GPO to automatically add or remove either users or groups from a computers
local groups.
This wont restrict a user, but reset the group permissions as you set them based on the Group
Policy refresh interval.
Computer Configuration > Preferences > Control Panel > Local Users and Groups
**Keep in mind***
Spice · Reply
Sonora
1. Create a new Group Policy Object and call it whatever you'd like.
2. Using Group Policy Management Editor, right-click on the policy and select edit.
3. Open Computer Configuration -> Policies -> Windows Settings -> Security Settings ->
Restricted Groups
4. Right-click "Restricted Groups", select "Add Group"
5. Under "Group", type "Administrators"
6. Click "OK"
7. Next to "Member of this group", click "Add"
8. Enter the name of the individuals or (preferable) Active Directory group you want to add.
9. Click "OK"
10. Close Group Policy Management Editor
11. Either apply the newly-created GPO to your entire domain Forest or, assign it to the
specific Organization Units (OUs) that you wish it to apply to and make sure that the
computers you want affected by the GPO are a member of those OUs.
This is pretty quick and dirty, but that's the basics of how you do it. I would definitely
recommend testing on a small number of systems before you deploy it to anything like your
entire domain.
Spice · Reply
Serrano
Witch-King wrote:
1. Create a new Group Policy Object and call it whatever you'd like.
2. Using Group Policy Management Editor, right-click on the policy and select edit.
3. Open Computer Configuration -> Policies -> Windows Settings -> Security
Settings -> Restricted Groups
4. Right-click "Restricted Groups", select "Add Group"
5. Under "Group", type "Administrators"
6. Click "OK"
7. Next to "Member of this group", click "Add"
8. Enter the name of the individuals or (preferable) Active Directory group you want
to add.
9. Click "OK"
10. Close Group Policy Management Editor
11. Either apply the newly-created GPO to your entire domain Forest or, assign it to
the specific Organization Units (OUs) that you wish it to apply to and make sure
that the computers you want affected by the GPO are a member of those OUs.
This is pretty quick and dirty, but that's the basics of how you do it. I would definitely
recommend testing on a small number of systems before you deploy it to anything like your
entire domain.
+1
This is how you do it. By using Members of this Group all other local admins will be removed
unless they are explicitly listed. So if the user tries to add another local admin it won't work.
Spice · Reply
Ghost Chili
Spice · Reply
Serrano
Also, another approach maybe is to keep them running as their day to day AD account for
general tasks, and give them a local administrator account's credentials. Make them use UAC
prompts to elevate their privileges at the required moment administrator access is required.
Obviously, presumes you're running Vista+.
I run this way myself and as an admin the amount of times i ever use admin rights in a day is
pretty minimal, having appropriate user group rights around the network where necessary. If
your users are using crappy software that requires admin privileges you should check application
compatibility options first, and NTFS rights to that particular program's folder should compat
options fail.
If your users are testing out software or settings and stuff they only need the admin rights at them
moments, not when they check their email, browse the web or scratch their arse! ;) And if
developing they should test their apps work as standard users!
Spice · Reply
Datil
Btw - to use restricted groups you need Group Policy Management Console with the extensions
from Vista or later.
Spice · Reply