active directory - giving local admin privilege?

[roberttran]

Hey,
I made another thread yesterday, and it was helpful, but now I have another scenario I'm trying go figure out.

I have servers in an OU. Group A and Group B are allowed to log in as users to the servers in the OU. Group A though are only guest users and can't install apps, reboot the machine, etc. Group B though has full admin access to the machine.

How would I go about giving Group B local admin rights to a machine in an Active Directory while keeping Group A guest users? Would a GPO be needed for that OU?

Thanks,
Robert

 

[oakfan52]

I would just make the group that Group B's memebrs are in local admin.

 

[Stang Man]

add group B to the local administrators group on that machine

 

[Ruffy]

Setting user accounts as local admins to their systems

You could place the following command in a logon script -> "net localgroup
administrators OLDDOMAIN\User1 /add > NUL" watch the wrap and without the
quotes.


Or you could use restricted groups in AD.


Start Active Directory Users and Computers from any domain controller.
Create an organizational unit, and then move all of the appropriate
workstations and member servers to that organizational unit. Create a global
group in that organizational unit, and then add the appropriate users to
that group.


IMPORTANT: Complete the remaining steps from a Windows 2003-based member
server or a Windows 2000/XP Professional-based workstation with the Adminpak
installed.
Start Active Directory Users and Computers, right-click the organizational
unit, and then click Properties.
Click the Group Policy tab, click NEW, and then name the policy.
Click the policy, and then click Edit.
Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.
Click Browse. Focused on the local computer, click the group to which you
want your global group to be a member (in this case, the "Administrators"
group), click ADD, and then click OK. You are returned to the group policy
and you see the administrators group listed in the Restricted Groups window.
Right-click the group, and then click Security.
To the right side of the Members of this Group box, click ADD, and then
click Browse.
Locate the group in the organizational unit that you want to place in the
administrators group, and then add it the group. After you do so, close the
group policy.
At a command prompt, type gpupdate /force, and then press ENTER.