Add logged on user to local Administrators group via group policy?

Hi,

I want to add:

[DOMAIN NAME]\Domain Admins

AND

the user logging in to the computer, to the local administrators group. Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups. How do I do this via a group policy? :-|...

January 8th, 2013 1:01pm

Hi,

I don't get it: you want the group to contain Domain Admins group and ANY user who logs into the computer? Or just some user (added manually) + domain Admins?
If the second, then look into GP Preferences: they do it.

"Allan Kjaer" wrote in message news:12df483b-bb39-45aa-a2f4-99df2ee54384@communitybridge.codeplex.com...

Hi,

I want to add:

[DOMAIN NAME]\Domain Admins

AND

the user logging in to the computer, to the local administrators group. Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups. How do I do this via a group policy?

Free Windows Admin Tool Kit Click here and download it now
January 8th, 2013 1:21pm

use group policy preferences (within the GPO itself) to add a domain user or group to local admin on the machine

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


  • Proposed as answer by [- Alex -] Tuesday, January 08, 2013 1:23 PM
  • Edited by [- Alex -] Tuesday, January 08, 2013 1:23 PM
  • Unproposed as answer by Allan Kjaer Tuesday, January 08, 2013 1:24 PM
January 8th, 2013 1:22pm

No, doesn't work (I wrote "Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups."). I do not want to manually put in every user in a group policy, I want the user logging on to Windows to be added to the local Administrators group.
Free Windows Admin Tool Kit Click here and download it now
January 8th, 2013 1:24pm

 I want the user logging on to Windows to be added to the local Administrators group. If I want the daily user to be local admin, I would have to make a group policy for every computer/user.
January 8th, 2013 1:25pm

Again: ANY user? So, like, I'm not a local admin, I'm logging into the computer and now I am local admin?
It is solvable, but doesn't seem to be good solution for any problem to me. Can you please explain what problem are you trying to solve this way: probably there are more suitable solutions.

"Allan Kjaer" wrote in message news:8aef9633-799e-46fc-b60a-6354e7029cb5@communitybridge.codeplex.com...

No, doesn't work (I wrote "Not [DOMAIN NAME]\Domain Users via computer policy and restricted groups."). I do not want to manually put in every user in a group policy, I want the user logging on to Windows to be added to the local Administrators

Free Windows Admin Tool Kit Click here and download it now
January 8th, 2013 1:27pm

The issue is, that I want all my users to be able to install and control all software/settings on their own computer. But it must not be possible for them to browse to C$ on all other computers.
January 8th, 2013 1:29pm

Well, it still doesn't feel to be a good solutions: as soon as the user A is logged into computer B he will be able to browse the computer. And he can do it, say, through RDP services, not even physically. therefore, there is no need to think of something complex, because the task as it is formulated will bring you to the "everyone sees everyone's drive C$".
So, for installing software Id' look into some tools like SCCM, but for changing settings: I don't know the solution.
The task as you declared it can be solved through some application/script which is run when a user is logged in (easily done therough Windows Scheduler in Windows younger than Windows Vista, AFAIK). the app/script must be run with SYSTEM credentials and add the user into the group.
Still I highly discourage you from doing what you are going to do: you'll be in big trouble sooner or later with it. Just try to build some manageable environment: it'll cost more to you now, but will save money and time in future.

"Allan Kjaer" wrote in message news:611aeebc-2a45-4531-b49e-7cd74b4bfb56@communitybridge.codeplex.com...

The issue is, that I want all my users to be able to install and control all software/settings on their own computer. But it must not be possible for them to browse to C$ on all other comp

Free Windows Admin Tool Kit Click here and download it now
January 8th, 2013 1:39pm

I was thinking about the same thing ("Well, it still doesn't feel to be a good solutions: as soon as the user A is logged into computer B he will be able to browse the computer."), but for the user to log on using RDP he/she must have access to use RDP on the computer first. If this is disabled the user should not be able to log on using RDP.

I am not interested in using SCCM because all users are software developers and they need to be able to install software on their own. I could spend all day installing software for my users if they could not install it themselves.

Can I somehow NOT use "Domain Users" group when adding users to the "Restricted Groups" if I want my users to be able to install software but not be able to access C$, ADMIN$ and so on?

January 8th, 2013 1:56pm

Told you:

"The task as you declared it can be solved through some application/script which is run when a user is logged in (easily done therough Windows Scheduler in Windows younger than Windows Vista, AFAIK). the app/script must be run with SYSTEM credentials and add the user into the group."

Free Windows Admin Tool Kit Click here and download it now
January 8th, 2013 2:11pm

OK, thanks. But since this is a "Windows Server Forums >  Group Policy"-forum I was looking for a group policy setting.

If not a group policy setting I would probably run it as a logon script. If you know that it can be done with an application script then how is this accomplished?

January 8th, 2013 2:15pm

There is no such GP settings. You can deliver your script via GPO, but that's all. As I said before, what you are trying to get is quite far from best practices, and GPO is usually to get us closer to them =)

"Allan Kjaer" wrote in message news:8c17154a-9739-4dcf-a83c-99d8824fb7af@communitybridge.codeplex.com...

OK, thanks. But since this is a "Windows Server Forums >  Group Policy"-forum I was looking for a group policy setting.

If not a group policy setting I would probably run it as a logon script. If you know that it can be done with an application script then how is this accompl

Free Windows Admin Tool Kit Click here and download it now
January 8th, 2013 3:01pm

  > If not a group policy setting I would probably run it as a logon > script. If you know that it can be done with an application script > then how is this accomplished?   Group Policy Preferences "Local Users and Groups" can do that: "Add the current user". Don't forget to "remove all members" to remove users logging on earlier.  
January 9th, 2013 2:46pm

Hi Martin,

This sounds interesting. Can you tell me more about where to find this setting/preference? I can't seem to find it.

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2013 7:25am

  > This sounds interesting. Can you tell me more about where to find this > setting/preference? I can't seem to find it.   Hm. OS you are using? GPP is only available in GPMC/GPEdit starting with Vista and above. And according to your certifications, you for sure should know about Group Policy Preferences ;-)) SCNR.   http://technet.microsoft.com/en-us/library/cc731972.aspx   regards, Martin  
January 10th, 2013 10:49am

Yes, I know about group policies... , but it's a question of what terms are used. The link you sent me doesn't tell me much about how to get the problem solved. It's just a general tech note. Here is the policy I would normally use to add members to the computer, so where is the setting you refer to?: 

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2013 11:04am

  In GPEdit, move down to user configuration - preferences - control panel: local users and groups. The online help is quite ok for these items. And of course, if questions arise, feel free to ask - you're welcome!   regards, Martin  
January 10th, 2013 4:50pm

The problem with this setting, we have discovered, is that this takes two logins to take effect.  This is fine for people who use one primary computer, but does not work as expected for a lab environment.  Referenced in the technet article below:

http://technet.microsoft.com/en-us/library/cc732525.aspx

"Group memberships for the current user take effect during the next user logon."

If the box to "Delete all member users" is checked, it causes the following behavior... User A logs on to computer A.  Their security token is created and they are logged on PRIOR to being added to the local admin group, so they need to log on again to get the newly built security token.  Once they log on again, the security token is built on their group membership before the GPP item is run, which then deletes and re-adds their login to the group.  Not a problem since they already have the correct token granting local admin rights (since it is based on the previous local admin group membership).  The problem occurs when User B logs on to computer A.  They will NOT be in the group, their token will NOT contain the proper membership until AFTER they log on again.  This will then REMOVE User A from the local admin group, thus causing User A to have to log on twice.

This behavior basically makes the GPP unusable for the problem described.  It may not impact someone who uses the same system everyday, but it is a major headache for lab environments.

Free Windows Admin Tool Kit Click here and download it now
March 26th, 2013 2:03pm

Yes, it obviously takes two logins because the user is only added to the administrator user group after the first login and then after the second login the account has the privileges. I use this feature when setting up a computer and it has been working perfectly for months. Hope you find a solution.
March 26th, 2013 5:01pm

I appreciate the response... I understand how it works, but this behavior is hurting our ability to use a training lab.  People commonly use a different system in the lab everyday, and logging on twice is a major annoyance.  To me it seems like it would make more sense to alter the processing of this GPP to run before the security token is built for the user.

I agree it works perfectly well for people who use one computer everyday.  The real issue is for multi-user systems which we have several of in our environment.  I am open to suggestions if there is a possible workaround. 

Thanks 

Free Windows Admin Tool Kit Click here and download it now
March 26th, 2013 6:20pm

Using the procedure that [-Alex-] referenced in http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ should give you what you want, if you substitute the static user with %DomainName%\Domain Users.

I hope this helps,

James

April 12th, 2013 10:49pm

Wouldn't that give ALL domain users local admin?  We're trying to avoid that, as we only need the current user to have admin rights.  We did end up giving 'domain users' admin rights on the multi-user machines, but that has not been the ideal solution.
  • Edited by steelie Monday, May 06, 2013 12:56 PM
Free Windows Admin Tool Kit Click here and download it now
May 6th, 2013 12:55pm

I know this is rather old, but i faced a similar problem and used NT Authority\Interactive added to the Administrators group. This makes the current user an administrator.
  • Proposed as answer by tausifkhan 2 hours 30 minutes ago
July 12th, 2015 1:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics