How do I edit a Domain GPO from a workstation?

  • Thread starter Thread starter buck614
  • Start date Start date
B

buck614

I want to add the 'Local Administrator' right to an OU on my Domain,
however the 'Local Administrator' group is not available.

On the domain I have selected my OU, and then I edit the new GPO.

I go to:
Computer Configuration\Windows Settings\Security Settings\ Restricted
Groups\

I then click Add Group.

The 'Local Administrators' group is not listed.
The 'Administrators' group is listed.

To allow Domain users to have Administrator access to their individual
computers I think they need 'Local Administrator' group access. Is
this the same as the 'Administrator' group?

From what I have read, I need to add the 'Local Administrator' group.
This is why I keep reading that the GPO has to be edited from a
workstation or a member server. The 'Local Administrator' group is NOT
on the Domain controller.

From what I understand you have to load the admin tools onto a
workstation and Edit the Domain GPO from the workstation.

HERE IS MY QUESTION:
How do you edit a GPO on the domain from a workstation?

I need to give access to a select group of my Domain Users to have
Administrator access to their local computers. Obviously I want to do
this with a Domain level GPO.

I have looked everywhere and I cannot find an answer. I installed the
Adminpak on my workstation but I cannot seem to figure out how to edit
a GPO on the domain from a workstation.

Thank You for your help.
Dave
 
Actually I tried that. I assumed that that was how you would do it. I
used ADSI Edit on a WIN 2000 Professional machine on the network and
browsed to the desired OU. However, there isn't a Group Policy tab
when I go to properties on the selected OU. There are only two tabs,
'Attributes' and 'Security'. None of which reference any information
for a GPO. Am I supposed to use ADSI edit or some other Support Tool
to browse the domain OU's? By the way, I understand that I can use a
script and I thank you for that information but I have been tasked to
do this using a GPO.
Thank You in advance for your help.
Dave
 
I figured it out. What a mess to get there though.

To edit a Domain GPO from a workstation, you need to install ADMINPAK
on the workstation. However, you can't get the one you need from
Microsoft. The one on Microsoft's site works with WIN 2000 and WIN
2003, but you can only run it from a WIN XP machine. Bummer.

I had already installed the Support Tools from the WIN 2000 CD but it
wasn't included in there either.

What you have to do is, get the WIN 2000 Server CD, browse to the I386
directory and you will find ADMINPAK. When You install it, it will add
(Among Others) the 'Active Directory Users and Computers' item into
the 'Administrative Tools' section of the Start Menu. If you don't see
'Administrative Tools' right-click on the start bar and go to
properties. Go to the advanced tab and check 'Administrative Tools'
from the 'Start Menu Settings' window.

I could not find this information ANYWHERE on the internet or
Microsofts site so I wanted to post it for others.
Thank You
Dave
 
Back
Top