As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

Active Directory Question

LuqLuq Registered User regular
edited February 2008 in Help / Advice Forum
I'm trying to give a user, let's call her Lara, administrative access to PC's on a single campus of my company's. Let's call that campus Mayan Temple. I'd like to create a group in Active Directory called Mayan Admins that has administrative access to these PC's in the Mayan Temple. The previous IT guy had just been adding people to Domain Admins, which is obviously a horrid insecure practice. I've already created the group and added Lara to it. How can I use group policy to add Mayan Admins to the Administrators group in all PC's in Mayan Temple, or otherwise give Mayan Admins administrative access?

FFRK:jWwH RW:Onion Knight's Sage USB
Luq on

Posts

  • Options
    urahonkyurahonky Registered User regular
    edited February 2008
    Well....... How many computers are we talkin' about here? You might have to add that group under the administrator group under each computer.

    So go to the computer, right click My Computer -> Manage, go to users and groups, and find administrator and add Mayan Temple.

    That's how I do it here, but fortunately we add that group each time we build a new computer... I'm not sure if there's an easier way to do it without having to do that to each computer.

    urahonky on
  • Options
    KMFurDMKMFurDM Registered User, ClubPA regular
    edited February 2008
    If I am reading this correctly, if you have the group created with the permissions you want applied, you can go to each user you want in this group, right click on their account, hit Properties, hit the Member Of tab, then add the group under there.

    KMFurDM on
  • Options
    LuqLuq Registered User regular
    edited February 2008
    Yeah I know I could do that if I was ever on site, or if I wanted to remote in to each goddamn pc and do it. Unfortunately we're talking about 50 pc's in a different state. It would be an extreme hassle. There's got to be a way to add users through group policy, I'll keep looking. Thanks for the reply though.

    Luq on
    FFRK:jWwH RW:Onion Knight's Sage USB
  • Options
    LuqLuq Registered User regular
    edited February 2008
    The group is created, but does not yet have administrative rights to all the PCs in Mayan Temple. That's what I'm trying to figure out how to do with group policy, or in some other fashion in AD. I could easily give it access to all PCs, but that's bad. That would give the client administrative access to every PC in the company, that's over 600 PC's in 8 locations and would even include the executives' PCs. This was the way it was done previously, and is what I'm working to undo. As it is Joe Bob the IT helper guy at Aztec Temple could administer any machine in the company if he was smart enough or evil enough to try.

    Luq on
    FFRK:jWwH RW:Onion Knight's Sage USB
  • Options
    urahonkyurahonky Registered User regular
    edited February 2008
    You don't need to remote into all of them. If you have admin privileges do this:

    Right click my computer, go to Manage. When that new dialog appears right click on Computer Management(Local) at the top of the pane, and go to Connect to another computer...

    Then type in the IP address or computer name if you're on the same network. That's much easier.

    urahonky on
  • Options
    LuqLuq Registered User regular
    edited February 2008
    Bah I'm an idiot, I can't believe I forgot about managing them remotely. I'll use that as a stopgap measure until I find the most efficient way to do this. Thanks.

    Luq on
    FFRK:jWwH RW:Onion Knight's Sage USB
  • Options
    urahonkyurahonky Registered User regular
    edited February 2008
    :) No problem sir. Good luck.

    urahonky on
  • Options
    LuqLuq Registered User regular
    edited February 2008
    I found it! You can add a group you created in Active Directory to the Administrators group to every computer in a specific OU (container) using the Restricted Groups policy. You can apply this through group policy on the specific OU. Page 2-32 in the Windows Server 2003 Network Training Kit book.

    Luq on
    FFRK:jWwH RW:Onion Knight's Sage USB
Sign In or Register to comment.