Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > GPO
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Local Admin on all machines and add comp to domain

Local Admin on all machines and add comp to domain

this thread has 11 replies and has been viewed 3742 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 15th May 2008, 23:58
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Local Admin on all machines and add comp to domain

Hello all,

I have been doing some research on how to do these two things, but I don't seem to be having much luck on these specific issues. I currently have domain admins, which of course has all of the system administrators. I recently created a group called Desktop Support, which will house the...can we guess...desktop support people.

I need this desktop support group to have two things:
  1. The ability to add computers to the domain.
  2. Setup the group as a local administrator on all client PCs (not servers).

As for my computer name structure, they are in different OUs. So when I add a machine to the domain, it ends up in the Computers folder. After that, I move the computer into a different OU called either Laptop, Desktops or Servers.

Thank you for taking a look and reading. If you have any suggestions, I thank you in advance.
  #2  
Old 16th May 2008, 00:06
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Re: Local Admin on all machines and add comp to domain

I am sorry, I guess I missed the GPO forum. I will post this there.

Once again, sorry.
  #3  
Old 16th May 2008, 00:07
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Add domain group to local admin and add a pc to domain

Hello all,

I have been doing some research on how to do these two things, but I don't seem to be having much luck on these specific issues. I currently have domain admins, which of course has all of the system administrators. I recently created a group called Desktop Support, which will house the...can we guess...desktop support people.

I need this desktop support group to have two things:
The ability to add computers to the domain.
Setup the group as a local administrator on all client PCs (not servers).

As for my computer name structure, they are in different OUs. So when I add a machine to the domain, it ends up in the Computers folder. After that, I move the computer into a different OU called either Laptop, Desktops or Servers.

Thank you for taking a look and reading. If you have any suggestions, I thank you in advance.
  #4  
Old 16th May 2008, 00:35
gepeto gepeto is offline
Member
Here to help
 
 Join Date: Apr 2008
  6 month star 12 month star
 Location: Montreal, QC, Canada
 Posts: 342
  Send a message via MSN to gepeto
 Reputation: gepeto will become famous soon enough (61)
Default Re: Local Admin on all machines and add comp to domain

A Mod can move the post instead of you double posting..

To answer your question, take a look at Restricted Groups in the GPO. Add the group in the local administrators that way. Then, you might want to delegate control over the computer objects in the OU where desktops are to the same group, as I suppose they will be joining machines to the domain etc..
  #5  
Old 16th May 2008, 02:51
JDMils JDMils is offline
Member
Someone to look up to
 
 Join Date: Dec 2005
  6 month star 12 month star
 Location: Melbourne, Australia
 Posts: 849
 Reputation: JDMils is on a distinguished road (21)
Default Re: Add domain group to local admin and add a pc to domain

We have two groups:

Desktop Support: gGpl_AddGrouptoLocalAdminsGroup
Domain Admins: Domain Admins

We add both groups to all Local Administrators groups on workstations by GPO:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups
GroupName = Administrators
Members = myDomain\gGpl_AddGrouptoLocalAdminsGroup, myDomain\Domain Admins

Of course you apply this GPO to the OU with your workstations as your servers will be in their own, seperate OU. Your Desktop users should be in the "gGpl_AddGrouptoLocalAdminsGroup" group.

As for adding computers to the domain, edit "Default Domain
Controller" group policy under "Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\". Here
look for policy named "Add workstations to domain" and double click on it.

Now add the group "gGpl_AddGrouptoLocalAdminsGroup" to this policy.

Wait for the replication to finish between the DCs and your help desk
personnel is now able to add workstations to domain.
__________________
|
+-- JDMils
|
+-- System Admin, DotNet programmer & Jack of all trades
|
  #6  
Old 16th May 2008, 03:53
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Re: Add domain group to local admin and add a pc to domain

I appreciate you getting back to me on this. I have been doing research and stumbled across the restricted groups policy. I had a question about the way it works though. If I setup restricted groups, can I still add individual users to the local admin group? Many of my users need to be local admins on their machines because of the type of work and software they do/use. This is something I will need to test.

As for the adding machines to the domain, I did edit that GPO but it doesn't seem to help with anything. My support group is still having problems adding machines to the domain. Anyone have any ideas about what could be causing this?
  #7  
Old 16th May 2008, 03:55
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Re: Local Admin on all machines and add comp to domain

Quote:
Originally Posted by gepeto View Post
A Mod can move the post instead of you double posting..

To answer your question, take a look at Restricted Groups in the GPO. Add the group in the local administrators that way. Then, you might want to delegate control over the computer objects in the OU where desktops are to the same group, as I suppose they will be joining machines to the domain etc..
Thank you for the response.

It it possible to have the mods delete this post or lock it or something....
  #8  
Old 16th May 2008, 12:47
Ossian Ossian is offline
Administrator
 
 Join Date: Nov 2003
  6 month star 12 month star
 Location: Bonnie Scotland
 Posts: 16,718
  Send a message via Skype™ to Ossian
 Reputation: Ossian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant future (1549)
Default Re: Local Admin on all machines and add comp to domain

Moved to GPO forum at OPs request
And merged with the other thread

Reasons not to double post number 403.5......
__________________
Tom Jones
MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
PhD, MSc, FIAP, MIITT
IT Trainer / Consultant
Ossian Ltd
Scotland

** Remember to give credit where credit is due and leave reputation points where appropriate **

Last edited by Ossian; 16th May 2008 at 12:50..
  #9  
Old 16th May 2008, 18:40
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Re: Add domain group to local admin and add a pc to domain

Quote:
Originally Posted by JDMils View Post
We have two groups:

Desktop Support: gGpl_AddGrouptoLocalAdminsGroup
Domain Admins: Domain Admins

We add both groups to all Local Administrators groups on workstations by GPO:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups
GroupName = Administrators
Members = myDomain\gGpl_AddGrouptoLocalAdminsGroup, myDomain\Domain Admins

Of course you apply this GPO to the OU with your workstations as your servers will be in their own, seperate OU. Your Desktop users should be in the "gGpl_AddGrouptoLocalAdminsGroup" group.

As for adding computers to the domain, edit "Default Domain
Controller" group policy under "Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\". Here
look for policy named "Add workstations to domain" and double click on it.

Now add the group "gGpl_AddGrouptoLocalAdminsGroup" to this policy.

Wait for the replication to finish between the DCs and your help desk
personnel is now able to add workstations to domain.

This works great, but the only problem I have is that if I do this to all of my computers in the domain, it overwrites what is currently in the local administrators group. The majority of my users need to be a local admin on their box. Is there a way around this...or maybe a GPO that allows you to create local groups on the machine itself.

Thank you once again.
  #10  
Old 16th May 2008, 19:50
Chickensaur Chickensaur is offline
Casual
Casual
 
 Join Date: Nov 2007
  6 month star 12 month star
 Posts: 19
 Reputation: Chickensaur is on a distinguished road (10)
Default Re: Local Admin on all machines and add comp to domain

I figured out what I did wrong with the restricted groups. I setup the reverse...I had it overwrite instead of add my domain group to the local group. Sorry...my brain is fried.

Now I just need to figure out why I can't setup my desktop support group to add machines to the domain. I added them to the GPO and delegated control to them, but it still doesn't seem to be working. I am getting an access is denied error.
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
change admin password for local comp using batch hshaik General Scripting 3 9th April 2007 23:52
Add Domain user/group as winXP local Administrator ebe75 GPO 13 25th March 2007 01:04
Win2003 Domain Controller lost Local Admin & Domain Admin pwds OdinTrisk Forgot Administrator Password 2 7th January 2007 22:44
New Domain, Need All users to have Local Admin spepi GPO 6 27th December 2006 17:15
add comp and user account for a new comp by a script avivh General Scripting 1 25th December 2004 22:33


All times are GMT +3. The time now is 14:21.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri