Active Directory Question

Luq

I'm trying to give a user, let's call her Lara, administrative access to PC's on a single campus of my company's. Let's call that campus Mayan Temple. I'd like to create a group in Active Directory called Mayan Admins that has administrative access to these PC's in the Mayan Temple. The previous IT guy had just been adding people to Domain Admins, which is obviously a horrid insecure practice. I've already created the group and added Lara to it. How can I use group policy to add Mayan Admins to the Administrators group in all PC's in Mayan Temple, or otherwise give Mayan Admins administrative access?

urahonky

Well....... How many computers are we talkin' about here? You might have to add that group under the administrator group under each computer.

So go to the computer, right click My Computer -> Manage, go to users and groups, and find administrator and add Mayan Temple.

That's how I do it here, but fortunately we add that group each time we build a new computer... I'm not sure if there's an easier way to do it without having to do that to each computer.

KMFurDM

If I am reading this correctly, if you have the group created with the permissions you want applied, you can go to each user you want in this group, right click on their account, hit Properties, hit the Member Of tab, then add the group under there.

Luq

Yeah I know I could do that if I was ever on site, or if I wanted to remote in to each goddamn pc and do it. Unfortunately we're talking about 50 pc's in a different state. It would be an extreme hassle. There's got to be a way to add users through group policy, I'll keep looking. Thanks for the reply though.

Luq

The group is created, but does not yet have administrative rights to all the PCs in Mayan Temple. That's what I'm trying to figure out how to do with group policy, or in some other fashion in AD. I could easily give it access to all PCs, but that's bad. That would give the client administrative access to every PC in the company, that's over 600 PC's in 8 locations and would even include the executives' PCs. This was the way it was done previously, and is what I'm working to undo. As it is Joe Bob the IT helper guy at Aztec Temple could administer any machine in the company if he was smart enough or evil enough to try.

urahonky

You don't need to remote into all of them. If you have admin privileges do this:

Right click my computer, go to Manage. When that new dialog appears right click on Computer Management(Local) at the top of the pane, and go to Connect to another computer...

Then type in the IP address or computer name if you're on the same network. That's much easier.

Luq

Bah I'm an idiot, I can't believe I forgot about managing them remotely. I'll use that as a stopgap measure until I find the most efficient way to do this. Thanks.

urahonky

No problem sir. Good luck.

Luq

I found it! You can add a group you created in Active Directory to the Administrators group to every computer in a specific OU (container) using the Restricted Groups policy. You can apply this through group policy on the specific OU. Page 2-32 in the Windows Server 2003 Network Training Kit book.