Local Admin & Group Policy Question

[email4matt]

I wanted to make Domain Admins a local administrator of all machines
through Group Policy (I think this happens by default when a machine is
added to the domain, but some users remove it). I found that it can be
done with "Restricted Groups". The policy seems to work ... but ... it
appears to overwrite what's already in the local administrators group.
For us, this is a problem. On some servers or PCs, we have added
individuals to this group, and they need to remain there. Is there any
way to have the Group Policy ADD to the local administrators group, as
opposed to replacing what's there? Thank you!

 

[Jerold Schulman]

I wanted to make Domain Admins a local administrator of all machines
through Group Policy (I think this happens by default when a machine is
added to the domain, but some users remove it). I found that it can be
done with "Restricted Groups". The policy seems to work ... but ... it
appears to overwrite what's already in the local administrators group.
For us, this is a problem. On some servers or PCs, we have added
individuals to this group, and they need to remain there. Is there any
way to have the Group Policy ADD to the local administrators group, as
opposed to replacing what's there? Thank you!

NOT with Group Policy Restricted Groups.

You could use a Startup script on each workstation:

@echo off
net localgroup Administrators "NetBIOSDomainName\Domain Admins" /ADD

But since your users are local admins (how else could they remove Domain Admins?)
they can remove it eacxh time.

You can also use the Task Scheduler and script a batch on each computer, all from your desktop,
or,
or,
or,
....



Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[email4matt]

I realize they could remove it, that's why my preference was to use
Group Policy if possible. That way, they could remove it, but it would
always be put back by the policy. Thanks for the info. I guess since
I can't do it through GP, I'll add a line to my login script. Thanks!

 

[Mark Heitbrink [MVP]]

Hi,

NOT with Group Policy Restricted Groups.

It is. You can add your wanted group to the existing one
without replacing it.

In the restricted group you add first your wanted group
and make them "This group is member of" Administrators

If you do it the other way, add the Administrators to the
restricted group and make them "Member of this group"
(your desired group) it will work replacing.

But since your users are local admins (how else could they
emove Domain Admins?)they can remove it eacxh time.

Thats in fact a problem, but every 16 hour the security policy
will be applied via "force" and will correct that.

Some time later, the local admins should get tired, to edit
this setting every morning ...

Mark

 

[Mark Heitbrink [MVP]]

Hi,

I wanted to make Domain Admins a local administrator of all machines
through Group Policy [...]

as an addition to my prior posting:
http://www.gruppenrichtlinien.de/Bilder/EGruppen-hinzufuegen.gif

Configure your policy like this way and the restricted group
will be adding your group instead of replace it.
Leave the "upper" field (Member of this group) greyed out.

Mark

 

[email4matt]

Mark,

Thank you so much!!! That did the trick. I really appreciate your
help, picture and all!!!!

 

[Mark Heitbrink [MVP]]

Thank you so much!!! That did the trick. I really appreciate your
help, picture and all!!!!

Your welcome.