7

I need to give administrative privileges to a group of user for a group of a PC in an Active Directory Enviroment.

For Example i have :

  • HelpDesk_User : Group of user
  • HelpDesk_PC : Group of Computer

I want to give at each member of HelpDesk_User group local administrator priviledges on each computer member of HelpDesk_PC. Can i do this throgh Group policy ? How ?

At the moment i add manually HelpDesk_User group(or each member of this group) to local administrator group for each computer, Is there a way to do it through centralized AD group policy ?

Thanks.

Ryan Fisher
  • 2,218
  • 16
  • 13
aleroot
  • 3,160
  • 5
  • 28
  • 37

1 Answers1

10

Yes, you're after Restricted Groups.

  1. Create a new GPO for the OU of your workstations.
  2. Computer Configuration -> Windows Settings -> Restricted Groups
  3. Right click, Add Group
  4. Choose your group for users who are going to be local workstation admins
  5. This group is a member of -> Add, and enter Administrators

Exit out of the GPO, and run gpupdate /force on the workstations to pick up the new GPO. Check in the local users/groups to see if your admins group is in the local administrators group.

See here for more pics: http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/17/how-to-add-domain-accounts-to-local-administrators-group-using-gpo.aspx

George Hewitt
  • 1,066
  • 7
  • 13
  • You left out a hugely important bit of information re: Restricted Groups... This GPO setting will **OVERWRITE** the group it applies to. You need to add **EVERY** user/group that you want to be a member of the local "Administrators" group. – Ryan Fisher Oct 26 '10 at 19:23