SCCMNAP BLOGS

Supporting System Center Configuration Manager 2007 & Security
Welcome to SCCMNAP BLOGS Sign in | Join | Help
in Search
Home Blogs Forums Photos Downloads

This Blog

Syndication

Friend Blogs

Richard Got NAPd

Engineer, Lab Manger & Production Manager at Microsoft based in Redmond. Technical resource in release management for Microsoft Buisness Online Services. Currently working on all feature sets of Configuration Manager 2007 with focus on Network Access Protection, Virtualization and Internet Based Client Management. Previously worked for Warner Bros, NBC Studios, AT&T, 24 Hrs Fitness, State of California, Northrope Grumman, NOS Communications, GE Capital, KLA Tencor, Wells Fargo Mortagage, Dudeworks, TeleTech, TekSystems, etc...

How to Add domain accounts to Local Administrators Group using GPO

There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
1

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
2

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.

Members of this group

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
3

This group is a member of

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
4

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.

Published Jun 17 2008, 10:55 PM by Richard Dixon
Filed under: , ,

Comments

No Comments

About Richard Dixon

I’ve worked in the technology field since 1990 in Systems Management, integration and automation thru the use of Microsoft technologies such as System Center Configuration Manager 2007, Operations Manager, and Service Manager. SQL Server 2008 & Reporting Services, Visual Studio, SharePoint with InfoPath Integration, SME on Microsoft's Hyper V Virtualization technology, Failover Clustering & Network Load Balancer Services. Recently managed a 17 Hyper V node environment, over a 130 virtual machines that span environments such as Lab, Preproduction & Production supporting several System Center Configuration Manager 2007 Infrastructures customized to support all site roles for the environment including 6 MPs, 6 SUPs & 8 DPs that are all completely virtualized supporting up to 200,000 desktops across all supported environments at Microsoft, other skills includes SCCM Network Access Protection and Forefront Identity Management with a strong unique ability to learn new technologies surprisingly fast. Previously worked for Warner Bros, NBC Studios, AT&T WorldNet Service, 24 Hrs Fitness, State of California, Northrop Grumman, NOS Communications, GE Capital, KLA Tencor, Wells Fargo Mortgage, Dudeworks, TeleTech, TekSystems.
Copyright © SCCMNAP. 2007 All Rights reserved.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems