Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Adding Group in Local Administrators with Policies 2

Status
Not open for further replies.
ReddLefty

ReddLefty

IS-IT--Management
Mar 11, 2003
964
CA
I've tried to do this with policies but failed, maybe someone has tried or has a better idea:

I'm trying to add either "Domain Users" or "Authenticated Users" to the Local Administrator Group in client computers automatically when the become part of the domain.

I'm thinking this can be done with the security templates, but after trying a few times, I've failed... hence, this post!


 
Sort by date Sort by votes
In group policies under Computer Configuration\Security Settings\Restricted Groups

right click and add a new group call it administrators or you can even browse and select the local administrators group on you computer. Now add the correct members to the group. That should work for you... that is what we do here.

Now just set in the permissions what computers this policy applies to.

Now all users will need to reboot for this to take effect or you can run
"secedit /refreshpolicy machine_policy /enforce"

Now once users reboot it will take effect, and when users join the domain.

Good luck.

-Matt
 
Upvote 0 Downvote
Cool, I'll give this a try... if it works, you get a groovy star!
 
Upvote 0 Downvote
mwiner,

It's almost perfect...

The path is actually Computer Configuration\Windows Settings\Security Settings\Restricted Groups, but that was easy to figure out :) .

I added "Authenticated Users" and "Domain Users". Only the "Domain Users" seems to have been replicated properly, and only when I joined the domain. An existing computer did not get the policy, even after serveral reboots and forced refreshes.... But, I only need it when I first install the computer so it's good enough for me.

You get 'da star'.
 
Upvote 0 Downvote
Sorry about the missing item in the path. But I am glad you found it. And I am glad this worked for you.

For the machine that is giving you the problem check the event log to see if it is getting a userenv or Scecli error.
 
Upvote 0 Downvote
I have a similar issue. I need to add an entire department to the power users group so that the login scrip will Map LPT1 to the Printer. When I look in the GPO settings I can not figure out how to add the users to this group with policies. Any help you could offer would be great.
 
Upvote 0 Downvote
You first have to add the group.

Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

Right click it and say "ADD GROUP". Now "Browse". Select the Power Users group that you see in the window. Click "ADD" then click "OK" and "OK" again. Now the Restricted Groups window will show "Power Users".

Now either double click or right click "Power Users" and go to "Security". for "Members of this Group" click add then browse. Now select your domain in the pull down window, and select the users or groups to be in the local Power Users group. Click ADD then ok, and ok again.

There you go... That should do it!

Now in the Restricted Groups window you should have the group name: Power Users, and members: the users/groups you selected.

Good luck!

-Matt
 
Upvote 0 Downvote
Matt i do appericate your help, here is the problem that i encounter when i follow the steps that you gave me.
When i choose browse, the only thing i get is the Entire Directory or The domain I never get a computer. if i try to UNC to the computer (eg. \\Computer\power users) it can't find it. I have tried sever groups, Administrators guest, just to see if it will connect and it fails to work. My next step in troubleshooting this was to see if there were other computers on the network that i could get it from. But i have the same issue. it will only show the active directory.
 
Upvote 0 Downvote
ok, from the looks of that. you seem to be running the MMC on your domain controller. When you are logged into your DC running the MMC snapin for Active Directory Users and Computer you will not see any local machine. You will need to be a local admin, so if you are a domain admin then you should be set.

First figure out what Service Pack you are running on your desktop. Then install the AdminPak off the CD for that Service Pack (e.g. If you are at sp2 then only install AdminPak off the sp2 CD) otherwise it may not install correctly.
Once the adminpak is install you can go to Start --> Programs --> Administrative Tools --> Active Directory Users and Computers. From there run the steps that I have outlined above. When you go to browse you will not see your Directory selected by default. By default you will see your local machine.

Give it a shot

goodluck.

-Matt
 
Upvote 0 Downvote
That was the step i was missing i guess i shold have stated that i was accessing the server using terminal services. Thanks for your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
1K
gbaughma
gbaughma
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
585
DTGMI
DTGMI
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
362
hairlessupportmonkey
hairlessupportmonkey
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
689
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
779
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top