3

Is there a good way to solve the following?

  • Domain has an AD security group called "Workstation Administrators", for users that should not be domain admins, but should have local administrative control over all workstations in the domain
  • Technicians frequently forget to manually add this group after joining a PC to the domain and wastes time later on having to diagnose, go back and do it

Anybody know an automatic way of adding this group, or running a script on domain-join? Or would we need to run an automated audit process every so often after the fact?

Brandon
  • 2,807
  • 1
  • 22
  • 28

2 Answers2

10

Create a Group Policy Object and link it to the topmost OU that has workstation accounts. Then configure the Restricted Groups settings to add "Workstation Administrators" to the local group "Administrators" (or whatever the name is in your locale).

How-to: Using Restricted Groups

chankster
  • 1,324
  • 7
  • 9
  • +1 - Restricted Groups is your friend for this. The only complaint I have with it is that a Restricted Groups policy can't merge with the existing local group membership or other Restricted Groups policies that apply to that computer. I have Customers where I have a "All PCs in the Organization Local Administrators" group and several "All PCs in Building #xx of City xxx Local Administrators" groups and a whole mess of Restricted Group policies to make it work. It'd be nice if the policies could just "stack"... – Evan Anderson Jul 31 '09 at 19:18
  • Actually if you are using Group Policy extensions for Win2008 you can modify the Admins Group and remove and add individual members: http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html - According to the article you just need to have a Win2008 or Vista SP1 machine on the domain to access the tools. I've never used it myself, but given the way GP is processed, I imagine you could use separate GPOs to stack permissions throughout the directory like you want. – August Jul 31 '09 at 19:31
  • 6
    Evan: Actually you can merge settings. Just use the second option. What I mean is you make "Workstation Admins" a restricted group and make sure it is always a member of "Administrators" (using the second listbox/add button in the restricted group properties). – chankster Jul 31 '09 at 19:46
  • chankster YES! Not enough people realize how that second option is used. – Ryan Bolger Jul 31 '09 at 22:56
  • @chankster: I'm gonna have to look into that. I'm not sure I follow you, but I'll mock it up on my lab DC here and see what I can do. I'm going to feel like a raging moron if there's simple functionality to do what I want and I've been missing it all these years... – Evan Anderson Aug 04 '09 at 03:09
  • @chankster: Update: I feel like a raging moron... >smile – Evan Anderson Jul 28 '10 at 21:35
  • Something so simple shouldn't be so complicated to explain - chankster - your'e a GENIUS! :) – jjrab Oct 22 '10 at 20:37
2

If Restricted Groups is too restrictive, or you are unable to utilise Group Policy Client-side Extensions, you can use a VBScript assigned as a GPO computer startup script linked to the relevant OU/s.

See KB555026.

ThatGraemeGuy
  • 15,314
  • 12
  • 51
  • 78