Using Security group
1. In Active Directory, created a Global Group with Security group type called LocalAdmin.
2. Included the users as members of the LocalAdmin.
3. Created a GPO.
4. Edited the GPO by clicking Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups. Add GroupName "Administrators".
5. Then Add domain admins and DOMAIN\LocalAdmin as member of this group
6. It will take some time for the group policy to take effect. One draw back of this method: If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. For example, if you had added DOMAIN\user1 to local admin in the past, DOMAIN\user1 will be removed from the local admin group of the machine.
If you do not prefer central management, then create a group policy. (from http://www.tutorials-win.com can't find the posting any more)
1. Create a startup script in the policy with this command. NET localgroup Administrators /add "Domain\Domain Group" (if you just want to add specific user, change "Domain\Domain Group" to Domain\user)
2. make sure the workstations placed in the correct OU
3. Domain Group has to be less than 30 chars. You cannot add more than one domain group to the same local group. This is a limitation.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment