Automatic b!%#$ slappery!!

[PreviousPoster]

I would like to know if there is an efficient way to join a machine to the domain and have it automatically add "domain users" to the local administrators group... Anyone??

I know this is not "best practice" but I would like to know if it were possible and how to make this happen...

[AdamV]

You are absolutely right, it's not best practice

You could use a "restricted groups" policy targeted at the computers to define the membership of the local admins group. Make sure you are able to set the policy for desktops and servers separately, don't do this at domain level, target specific OUs

Better than domain users would usually be to add a domain group called "PC Admins " or somesuch, to include your techies who need remote access to the machines (if that applies to your environment).

If you actually need regular Joe User to have admin rights because of a badly written, broken, third-rate, worthless application then I would always suggest adding the local user "interactive" rather than domain users. This means that the user logged in at the console has admin rights over their box, but not over any other on the network, specifically this means they can't go through the admin share of the CEOs PC and read all those juicy docs he keeps on his local machine or in My Documents.
When adding Interactive via a Restricted Groups policy, you need to specify this as a local group by prefixing it with the context, so:
NTAuthority\Interactive should do the trick.

Computer Configuration\Windows Settings\Security Settings\Restricted Groups

(For basics on setting up an RG policy if you can't find it, do a quick Search as it has been discussed before)

[PreviousPoster]

Thanks for the reply!

About the domain users being local admins; the domain users this would apply to are software engineers (no domain admin rights) and need full access to their machines. The machines are actually VMs that are being created and joined to a test domain daily for testing purposes of our software. When these users need to join the vm to the domain I must always add them (and their team) to the local users group to allow full access.

In this situation, would your suggestion stay the same or do you have any other recommendations?

[AdamV]

I can't see why a VM should be any different, so I would go with a restricted groups policy to add "interactive" as a nearly-best practice, rather than domain users.

NOTE: restricted groups will wipe and replace the local admins group with whatever you specify, so make sure you also include things like the local admin account, domain admins, and anything else which would otherwise normally be in there in your setup

[PreviousPoster]

AdamV,

You're the "bomb-diggity-snap"!!! <--I'm trying to be cool, yet nerdy all the same...

So from my reply, I would only assume that you can tell that your response was liked and worked. It was exactly what I was looking for and much more secure than I had imagined. Keep up the good work and may the schwartz be with you.

By the way, I will be making myself more active of a member as time goes by. I have lots of questions and more ideas.

Thanks again.

REV