2

What I would like to do is grant permission for a domain account to log on to any server/workstation and be a local administrator with having to add this account to domain admin group?

This account only needs to be able to read folder sizes on all folders on a workstation/server.

Is there a GPO for that?

Dave
  • 357
  • 2
  • 6
  • 17
  • 1
    possible duplicate of [Remote Desktop Users via Group Policy Server 2008](http://serverfault.com/questions/329774/remote-desktop-users-via-group-policy-server-2008) – jscott Dec 20 '11 at 19:12
  • Also possibly of interest: http://serverfault.com/questions/227188/is-it-possible-to-add-a-local-user-to-the-admins-group-through-group-policy – jscott Dec 20 '11 at 19:16
  • @jscott Not an exact duplicate, but the process is absolutely identical except for the group that you choose from the drop down, so I voted for that as well. – MDMarra Dec 20 '11 at 19:22

3 Answers3

2

You can use Group Policy Preferences to update whatever local group to contain whatever users you want it to, including the local administrators group.

GPP Screencap

MDMarra
  • 100,183
  • 32
  • 195
  • 326
0

Yes, this is definitely possible with a GPO.

You need to be careful though, that the GPO that makes the user a local admin on every machine does not also apply to the domain controllers, because a local admin on a DC is a domain admin.

It's all just a matter of your particular OU structure, where the computer accounts are, if/how you configure "Enforced" or "Block Inheritance," and/or WMI filters. There are too many different ways to accomplish it to really go over them all.

For instance, a common scenario is to do something like apply a GPO to the "Accounting" OU that makes all members of the "Accounting Dept Admins" local administrators of all the computer accounts that reside in the Accounting OU.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
0

great how-to here: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

TheCompWiz
  • 7,349
  • 16
  • 23
  • 3
    Posting *only* links is really frowned upon. You should put the relevant content in an answer and then link to your source. – MDMarra Dec 20 '11 at 19:57
  • Thanks! I spoke to the network admin and we have a couple minor hurdles to jump over before we can do this, but your link is definitely going to help! – Dave Dec 20 '11 at 19:59
  • @mdarra Do you have something on the site to back that up? I'd certainly rather have a link to a complete answer rather than an incomplete answer. Your remark certainly goes against John Skeets advice here http://msmvps.com/blogs/jon_skeet/archive/2009/02/17/answering-technical-questions-helpfully.aspx – Jim B Dec 20 '11 at 21:21
  • @JimB Lucky for us, John Skeet doesn't run the Stack Exchange network. You should read [this](http://serverfault.com/questions/how-to-answer). There are also multiple posts on m.so about this where all of the most highly voted/accepted answers say to provide more than just a link. – MDMarra Dec 20 '11 at 23:53
  • 1
    @JimB Also, the two are not mutually exclusive. I suggested leaving a summary **AND** the link. John Skeet even says this in the link that *you* provided : `"it's worth including some sort of summary of what you're linking to - a link on its own doesn't really invite the reader to follow it, whereas a quick description of what they'll find there provides more incentive."` – MDMarra Dec 20 '11 at 23:55
  • Sure, I guess I would consider " here's a how to " a summary, but I can certainly see how that's debatable. – Jim B Dec 21 '11 at 04:00