Using GP to assign groups to local admin group

[Guest]

Hello,

We have existing GPs that assign certain groups to the local admins group on
our computers (they manipulate the computer portion). These work fine. I
would like to know how to assign a user (primary user of machine) to this
local admin group but NOT have the GP wipe out the changes when the policy is
refreshed. I have looked into specifying which machines the user has the
right to login to, but this becomes very difficult to manage.

Basically, I want to make a change when I'm at the machine and not have the
GP remove it. Seems simple in theory. Hope there's help.

Thanks!

 

[Jeff Rapp]

Hey Darren,

I am assuming that you are using Restricted Groups in GP to specify which
groups get added to the local admin group. If that is the case there is no
way around GP wiping out a manually specified addition to the local admin
group during a policy refresh. The only way to do this without having a
different Policy for every machine/primary user combo would be to add
something like Domain Users to the local admin group. There are obvious cons
to this approach also.

Let me know if I did not understand your post correctly.

Jeff

 

[Guest]

Hey Jeff,

Thanks for the timely reply. I have confirmed that we are using restricted
groups to set the membership of the local admins group. What do you think is
a good solution to this problem? The desired outcome is to give the primary
user admin rights while being able to make changes (through GP or other
methods) to the membership of the local admins group. I'm getting dizzy!

Otherwise it may be prudent to simply put this user in the power users group
and be done with it. Thanks again for your help.

 

[Jeff Rapp]

Darren,

I think you are on the correct path with Power Users. Restricted Groups are
great except you run into this scenario.

Jeff