[Chickensaur]

Hello all,

I have been doing some research on how to do these two things, but I don't seem to be having much luck on these specific issues. I currently have domain admins, which of course has all of the system administrators. I recently created a group called Desktop Support, which will house the...can we guess...desktop support people.

I need this desktop support group to have two things:

1. The ability to add computers to the domain.
2. Setup the group as a local administrator on all client PCs (not servers).

As for my computer name structure, they are in different OUs. So when I add a machine to the domain, it ends up in the Computers folder. After that, I move the computer into a different OU called either Laptop, Desktops or Servers.

Thank you for taking a look and reading. If you have any suggestions, I thank you in advance.

[Chickensaur]

I am sorry, I guess I missed the GPO forum. I will post this there.

Once again, sorry.

[Chickensaur]

Hello all,

I have been doing some research on how to do these two things, but I don't seem to be having much luck on these specific issues. I currently have domain admins, which of course has all of the system administrators. I recently created a group called Desktop Support, which will house the...can we guess...desktop support people.

I need this desktop support group to have two things:
The ability to add computers to the domain.
Setup the group as a local administrator on all client PCs (not servers).

As for my computer name structure, they are in different OUs. So when I add a machine to the domain, it ends up in the Computers folder. After that, I move the computer into a different OU called either Laptop, Desktops or Servers.

Thank you for taking a look and reading. If you have any suggestions, I thank you in advance.

[gepeto]

A Mod can move the post instead of you double posting..

To answer your question, take a look at Restricted Groups in the GPO. Add the group in the local administrators that way. Then, you might want to delegate control over the computer objects in the OU where desktops are to the same group, as I suppose they will be joining machines to the domain etc..

[JDMils]

We have two groups:

Desktop Support: gGpl_AddGrouptoLocalAdminsGroup
Domain Admins: Domain Admins

We add both groups to all Local Administrators groups on workstations by GPO:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups
GroupName = Administrators
Members = myDomain\gGpl_AddGrouptoLocalAdminsGroup, myDomain\Domain Admins

Of course you apply this GPO to the OU with your workstations as your servers will be in their own, seperate OU. Your Desktop users should be in the "gGpl_AddGrouptoLocalAdminsGroup" group.

As for adding computers to the domain, edit "Default Domain
Controller" group policy under "Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\". Here
look for policy named "Add workstations to domain" and double click on it.

Now add the group "gGpl_AddGrouptoLocalAdminsGroup" to this policy.

Wait for the replication to finish between the DCs and your help desk
personnel is now able to add workstations to domain.

[Chickensaur]

I appreciate you getting back to me on this. I have been doing research and stumbled across the restricted groups policy. I had a question about the way it works though. If I setup restricted groups, can I still add individual users to the local admin group? Many of my users need to be local admins on their machines because of the type of work and software they do/use. This is something I will need to test.

As for the adding machines to the domain, I did edit that GPO but it doesn't seem to help with anything. My support group is still having problems adding machines to the domain. Anyone have any ideas about what could be causing this?

[Chickensaur]

Quote:

Originally Posted by gepeto

A Mod can move the post instead of you double posting..

To answer your question, take a look at Restricted Groups in the GPO. Add the group in the local administrators that way. Then, you might want to delegate control over the computer objects in the OU where desktops are to the same group, as I suppose they will be joining machines to the domain etc..

Thank you for the response.

It it possible to have the mods delete this post or lock it or something....

[Ossian]

Moved to GPO forum at OPs request
And merged with the other thread

Reasons not to double post number 403.5......

[Chickensaur]

Quote:

Originally Posted by JDMils

We have two groups:

Desktop Support: gGpl_AddGrouptoLocalAdminsGroup
Domain Admins: Domain Admins

We add both groups to all Local Administrators groups on workstations by GPO:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups
GroupName = Administrators
Members = myDomain\gGpl_AddGrouptoLocalAdminsGroup, myDomain\Domain Admins

Of course you apply this GPO to the OU with your workstations as your servers will be in their own, seperate OU. Your Desktop users should be in the "gGpl_AddGrouptoLocalAdminsGroup" group.

As for adding computers to the domain, edit "Default Domain
Controller" group policy under "Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\". Here
look for policy named "Add workstations to domain" and double click on it.

Now add the group "gGpl_AddGrouptoLocalAdminsGroup" to this policy.

Wait for the replication to finish between the DCs and your help desk
personnel is now able to add workstations to domain.

This works great, but the only problem I have is that if I do this to all of my computers in the domain, it overwrites what is currently in the local administrators group. The majority of my users need to be a local admin on their box. Is there a way around this...or maybe a GPO that allows you to create local groups on the machine itself.

Thank you once again.

[Chickensaur]

I figured out what I did wrong with the restricted groups. I setup the reverse...I had it overwrite instead of add my domain group to the local group. Sorry...my brain is fried.

Now I just need to figure out why I can't setup my desktop support group to add machines to the domain. I added them to the GPO and delegated control to them, but it still doesn't seem to be working. I am getting an access is denied error.