Hi,
I want to add:
[DOMAIN NAME]\Domain Admins
AND
the user logging in to the computer, to the local administrators group. Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups. How do I do this via a group policy? :-|...
Technology Tips and News
Hi,
I want to add:
[DOMAIN NAME]\Domain Admins
AND
the user logging in to the computer, to the local administrators group. Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups. How do I do this via a group policy? :-|...
Hi,
I don't get it: you want the group to contain Domain Admins group and ANY user who logs into the computer? Or just some user (added manually) + domain Admins?
If the second, then look into GP Preferences: they do it.
"Allan Kjaer" wrote in message news:12df483b-bb39-45aa-a2f4-99df2ee54384@communitybridge.codeplex.com...
Hi,
I want to add:
[DOMAIN NAME]\Domain Admins
AND
the user logging in to the computer, to the local administrators group. Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups. How do I do this via a group policy?
use group policy preferences (within the GPO itself) to add a domain user or group to local admin on the machine
Again: ANY user? So, like, I'm not a local admin, I'm logging into the computer and now I am local admin?
It is solvable, but doesn't seem to be good solution for any problem to me. Can you please explain what problem are you trying to solve this way: probably there are more suitable solutions.
"Allan Kjaer" wrote in message news:8aef9633-799e-46fc-b60a-6354e7029cb5@communitybridge.codeplex.com...
No, doesn't work (I wrote "Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups."). I do not want to manually put in every user in a group policy, I want the user logging on to Windows to be added to the local Administrators
Well, it still doesn't feel to be a good solutions: as soon as the user A is logged into computer B he will be able to browse the computer. And he can do it, say, through RDP services, not even physically. therefore, there is no need to think of something
complex, because the task as it is formulated will bring you to the "everyone sees everyone's drive C$".
So, for installing software Id' look into some tools like SCCM, but for changing settings: I don't know the solution.
The task as you declared it can be solved through some application/script which is run when a user is logged in (easily done therough Windows Scheduler in Windows younger than Windows Vista, AFAIK). the app/script must be run with SYSTEM credentials and add
the user into the group.
Still I highly discourage you from doing what you are going to do: you'll be in big trouble sooner or later with it. Just try to build some manageable environment: it'll cost more to you now, but will save money and time in future.
"Allan Kjaer" wrote in message news:611aeebc-2a45-4531-b49e-7cd74b4bfb56@communitybridge.codeplex.com...
The issue is, that I want all my users to be able to install and control all software/settings on their own computer. But it must not be possible for them to browse to C$ on all other comp
I was thinking about the same thing ("Well, it still doesn't feel to be a good solutions: as soon as the user A is logged into computer B he will be able to browse the computer."), but for the user to log on using RDP he/she must have access to use RDP on the computer first. If this is disabled the user should not be able to log on using RDP.
I am not interested in using SCCM because all users are software developers and they need to be able to install software on their own. I could spend all day installing software for my users if they could not install it themselves.
Can I somehow NOT use "Domain Users" group when adding users to the "Restricted Groups" if I want my users to be able to install software but not be able to access C$, ADMIN$ and so on?
Told you:
"The task as you declared it can be solved through some application/script which is run when a user is logged in (easily done therough Windows Scheduler in Windows younger than Windows Vista, AFAIK). the app/script must be run with SYSTEM credentials and add the user into the group."
OK, thanks. But since this is a "Windows Server Forums > Group Policy"-forum I was looking for a group policy setting.
If not a group policy setting I would probably run it as a logon script. If you know that it can be done with an application script then how is this accomplished?
There is no such GP settings. You can deliver your script via GPO, but that's all. As I said before, what you are trying to get is quite far from best practices, and GPO is usually to get us closer to them =)
"Allan Kjaer" wrote in message news:8c17154a-9739-4dcf-a83c-99d8824fb7af@communitybridge.codeplex.com...
OK, thanks. But since this is a "Windows Server Forums > Group Policy"-forum I was looking for a group policy setting.
If not a group policy setting I would probably run it as a logon script. If you know that it can be done with an application script then how is this accompl
Hi Martin,
This sounds interesting. Can you tell me more about where to find this setting/preference? I can't seem to find it.
Yes, I know about group policies... , but it's a question of what terms are used. The link you sent me doesn't tell me much about how to get the problem solved. It's just a general tech note. Here is the policy I would normally use to add members to the computer, so where is the setting you refer to?:
The problem with this setting, we have discovered, is that this takes two logins to take effect. This is fine for people who use one primary computer, but does not work as expected for a lab environment. Referenced in the technet article below:
http://technet.microsoft.com/en-us/library/cc732525.aspx
"Group memberships for the current user take effect during the next user logon."
If the box to "Delete all member users" is checked, it causes the following behavior... User A logs on to computer A. Their security token is created and they are logged on PRIOR to being added to the local admin group, so they need to log on again to get the newly built security token. Once they log on again, the security token is built on their group membership before the GPP item is run, which then deletes and re-adds their login to the group. Not a problem since they already have the correct token granting local admin rights (since it is based on the previous local admin group membership). The problem occurs when User B logs on to computer A. They will NOT be in the group, their token will NOT contain the proper membership until AFTER they log on again. This will then REMOVE User A from the local admin group, thus causing User A to have to log on twice.
This behavior basically makes the GPP unusable for the problem described. It may not impact someone who uses the same system everyday, but it is a major headache for lab environments.
I appreciate the response... I understand how it works, but this behavior is hurting our ability to use a training lab. People commonly use a different system in the lab everyday, and logging on twice is a major annoyance. To me it seems like it would make more sense to alter the processing of this GPP to run before the security token is built for the user.
I agree it works perfectly well for people who use one computer everyday. The real issue is for multi-user systems which we have several of in our environment. I am open to suggestions if there is a possible workaround.
Thanks
Using the procedure that [-Alex-] referenced in http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ should give you what you want, if you substitute the static user with %DomainName%\Domain Users.
I hope this helps,
James