Local administration and Group Policy

Is there a was to add a new user as a Local Administrators on a PC thru Group
Policy...without removing any current users (also Local Administrators) that
are already on that PC.

I know I can manually add directly on that PC, but curious if there is a way
thru GPO.

Thanks.

Phillip
Thu Aug 14 14:19:20 PDT 2008

No. GPOs are just glorified registry edits. Users accounts are not stored
in the registry, they are stored in the local user account database.

There is probably a script that can be run to do it, but I suspect it has to
be run locally by someone who is already an Administrator.

I never add *users* to the Local Administrator's Group,...I add Groups.
Therfore I only have to do it once,...then new user of course will go into
the correct group which automatically means they are in the Administrators
Group.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Marc S" <MarcS@discussions.microsoft.com> wrote in message
news:27E99F06-7412-4ED2-852E-8529519FBB5C@microsoft.com...
> Is there a was to add a new user as a Local Administrators on a PC thru
> Group
> Policy...without removing any current users (also Local Administrators)
> that
> are already on that PC.
>
> I know I can manually add directly on that PC, but curious if there is a
> way
> thru GPO.
>
> Thanks.

Florian
Thu Aug 14 22:19:34 PDT 2008

Marc,

Marc S wrote:
> Is there a was to add a new user as a Local Administrators on a PC thru Group
> Policy...without removing any current users (also Local Administrators) that
> are already on that PC.
>
> I know I can manually add directly on that PC, but curious if there is a way
> thru GPO.

You can use Restricted Groups for that, if you want to add domain users
into local machine's groups:
http://www.frickelsoft.net/blog/?p=13

Creating new local users that are not in AD needs Group Policy
Preferences. They consist of a client part that needs to be installed on
all machines and a "management" part which is either Windows Server 2008
or a Vista machine with SP1 and RSAT installed.
See:
http://www.microsoft.com/downloads/details.aspx?familyid=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Phillip
Fri Aug 15 07:53:47 PDT 2008


"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:%23$mlpap$IHA.3392@TK2MSFTNGP03.phx.gbl...

> You can use Restricted Groups for that, if you want to add domain users
> into local machine's groups:
> http://www.frickelsoft.net/blog/?p=13

Cool. Simple enough.
The term Restricted Groups rang a bell when I saw your post, but I've never
messed with them before. It doesn't seem all that complicated.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Florian
Fri Aug 15 08:17:06 PDT 2008

Phillip,

Phillip Windell wrote:
> "Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
> message news:%23$mlpap$IHA.3392@TK2MSFTNGP03.phx.gbl...
>> You can use Restricted Groups for that, if you want to add domain users
>> into local machine's groups:
>> http://www.frickelsoft.net/blog/?p=13
>
> Cool. Simple enough.
> The term Restricted Groups rang a bell when I saw your post, but I've never
> messed with them before. It doesn't seem all that complicated.

They are really cool. I must admin you need to know what group to put in
where when using that UI but once you get behind it, it's a really cool
feature.

Group Policy Preferences are even easier as they use a fool-proof UI to
do all that stuff.

Cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

MarcS
Fri Aug 15 08:50:03 PDT 2008



"Florian Frommherz [MVP]" wrote:

> Phillip,
>
> Phillip Windell wrote:
> > "Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
> > message news:%23$mlpap$IHA.3392@TK2MSFTNGP03.phx.gbl...
> >> You can use Restricted Groups for that, if you want to add domain users
> >> into local machine's groups:
> >> http://www.frickelsoft.net/blog/?p=13
> >
> > Cool. Simple enough.
> > The term Restricted Groups rang a bell when I saw your post, but I've never
> > messed with them before. It doesn't seem all that complicated.
>
> They are really cool. I must admin you need to know what group to put in
> where when using that UI but once you get behind it, it's a really cool
> feature.
>
> Group Policy Preferences are even easier as they use a fool-proof UI to
> do all that stuff.
>
> Cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste


I appreciate all the info on Restricted Groups, however let me ask the
question another way.

If I have 50 PCs that all have 2 users (that are in AD) added with local
Administrators permissions on these PCs. Each of the 50 PCs may have
different 2 users lised at Local Admin, so it's not the same 2 people on each
PC. If I want to add an ADDITIONAL single user (that is in AD) to all of
these 50 PCs to have Local Admin rights...without removing any
current/existing users listed as Local Admin (already in AD) on those
PCs...will the Restricted Group work?

Florian
Fri Aug 15 09:05:42 PDT 2008


Marc,

Marc S wrote:
> If I have 50 PCs that all have 2 users (that are in AD) added with local
> Administrators permissions on these PCs. Each of the 50 PCs may have
> different 2 users lised at Local Admin, so it's not the same 2 people on each
> PC.

Okay, you can't use Restricted Groups for that. Hmm ... you probably
need to script it using NET ADD or friends like that. Will get a rather
long script.

Better yet, have a look at Group Policy Preferences. You can set up
policies to add the users to those Group in a single GPO. The trick is
you can filter the whole thing by computer name (or other variables).
It'd really look into Group Policy Preferences. Gives you a lot more
functionality than that - and is probably the same amount of work like
the script.

> If I want to add an ADDITIONAL single user (that is in AD) to all of
> these 50 PCs to have Local Admin rights...without removing any
> current/existing users listed as Local Admin (already in AD) on those
> PCs...will the Restricted Group work?

That's possible with Restricted Groups. Simple read the blog posting
that I pasted in my initial reply.

I'd look into GP Preferences. Really.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

MarcS
Fri Aug 15 10:16:01 PDT 2008



"Florian Frommherz [MVP]" wrote:

> Marc,
>
> Marc S wrote:
> > If I have 50 PCs that all have 2 users (that are in AD) added with local
> > Administrators permissions on these PCs. Each of the 50 PCs may have
> > different 2 users lised at Local Admin, so it's not the same 2 people on each
> > PC.
>
> Okay, you can't use Restricted Groups for that. Hmm ... you probably
> need to script it using NET ADD or friends like that. Will get a rather
> long script.
>
> Better yet, have a look at Group Policy Preferences. You can set up
> policies to add the users to those Group in a single GPO. The trick is
> you can filter the whole thing by computer name (or other variables).
> It'd really look into Group Policy Preferences. Gives you a lot more
> functionality than that - and is probably the same amount of work like
> the script.
>
> > If I want to add an ADDITIONAL single user (that is in AD) to all of
> > these 50 PCs to have Local Admin rights...without removing any
> > current/existing users listed as Local Admin (already in AD) on those
> > PCs...will the Restricted Group work?
>
> That's possible with Restricted Groups. Simple read the blog posting
> that I pasted in my initial reply.
>
> I'd look into GP Preferences. Really.
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste


Ok. I followed the instrux to add the Restricted Group GPO. Basically, I
created a new Security group (in AD) with one person as a member. Then only
added in "The group is a member of" lower menu component to add that new
Security group to the Administrators groups. (from the reading...leaving the
upper memu "Members of this group" blank so nothing pre-existing is removed
from the PC).

After rebooting that PC.

On that local PC, I checked Computer Management console under Groups,
Administrators, and see as the new Security Group as a member.

Does anything appear in Control panel - User Accounts?