Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W2K Server GPO - Adding DA's to all workstations... 1

Status
Not open for further replies.

Casasmith7712

IS-IT--Management
Mar 7, 2005
5
I am trying to find out if W2K GPO's can have the Domain Admins (DA) group added automatically to every workstation within my environment once they login?

Any help would be greatly appreciated.
 
I would like the DA group added to the local administrators group of each workstation. The issue is we have some users that know more than the average bear and like to mess with the IT Group by removing the DA group from the local administrators section on each system in any number of our offices. We can call into the office and have someone reset the workstation(s) but that does us no good if we can't get in after that.

If I am looking in the wrong place then please tell me and let me know where I should be looking.
 
Think a better approach could be to stop users being part of the local admins group. That way they cannot remove the domain admins from the local administrators group.

There is normally very little reason why users would need local admin rights.
 
ap has total reason...

DA are local admins by default once PC is joined, and users shouldn't have admin rights on PCs, they play with fire cos its someone else who gets burned...

try using the restricted groups part of GPO to force them out of the group and force DA in...


Aftertaf

"Solutions are not the answer." - Richard Nixon
 
Unfortunately - :( - the local users have to be setup on each workstation as a local administrator (that's the kicker about all of this). We use a production application that requires them to remote (TS) back to the central office and preform their duties that way. We have tried setting them as Power Users, but Local Administrator privilages seem to be the only way each one can connect and work successfully.

Servers: W2K
Workstations: WinXP Pro

I don't know if the platform information helps, but I thought I would add it anyway.

Believe me - I would love to make all of these users ANYTHING other than local admins on their workstations! Because of it - I have more gray hairs than the Chairman of the company. That stinks when you consider he's 40+ years older than I.
 

This should help you out. If I were you I would work on figuring out what the users need full access to without giving them admin rights. When I started for the company I work at everyone had full rights and all machines had hotbar, google bar, and everything else known to man installed. I started removing those admin priveledges, some apps stopped working until I figured out if it was a directory or registry key that they needed full access to, then applied the permissions. It sucks, but causes less headaches in the end.

Network Admin
A+, Network+, MCSA 2000, MCSE 2000
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top