Script or Policy to Allow Single User to be Admin on Specific Computer

[ender]

In a Windows Server 2003 Domain with Win XP Client's. We are looking for a way, hopefully though Group Policy or some sort of login script, to restrict membership in the local administrator's group on specific computer's to individual domain user account's

We have a group policy (with the restricted group enabled under computer config) that normally prevents any user accounts except our management account's from being in the local administrators group on a workstation.

We now have a few specific user's we want to be able to have a separate domain user account in the local admin's group on their specific computer.

I don't know of a way to do this with a single group policy, as if you add all user accounts to the restricted groups in group policy, and filter it to a security group with the computer's that were allowed to have other account's in their local admin group, then it would give user's access to all the computer's in that security group.

So basically we will add a user's domain user account to the local admin's group on a user's computer. But we are trying to find a way to prevent the user from then adding other user account's to the local admin's group on their computer.(Since the user is in the local admin's group, they are able to do this, we need a way to restrict just this local admin privledge)

I know we could create a separate group policy and filter it to each computer, to only allow a specific user account to be in the admin's group, but we are trying to prevent that, and do it in a more manageable way, such as a single group policy or some kind of login script.

[scottzaiss]

You will have to get rid of the policy with the 'Restricted Groups' as it will override anything else. Then from a Vista or better computer, create a new policy. Go to 'Computer Config\Preferences\Control Panel Settings\Local Users and Groups'. Add a new Group and select the Administrators built in group. Set this one up with your default membership. I don't think you need to add the default Admin groups like you do with Restricted Groups, (but be sure to test!).
Now add another entry for the same administrators group, add the single user account you want to add for a specific computer, then go to the 'Common' tab and check the 'Item Level Targeting' box. Under 'New Item' select 'Computer Name' and add the name of the computer you want. This will imit that specific policy entry to only that computer. You can then add any more entries you need the same way.
I believe these entries are additive, so they should overlap - the one entry will add your management accounts and the others will add the machine specific accounts needed. But obviously test thouroughly since I have never actually used a GPO in this specific scenario.

Hope this helps,
Scott

[ender]

This 'Item Level Targeting' is very interesting, I have not heard of this before. So with this you are saying we could filter each user account seperatly to only apply to the specific computer we want that user to have administrator on?

Now all of our clients PC's are only windows XP at this point. I assume the client PC would also need to be higher than XP to work with this item level targeting?

Or if we used gpmc on a Windows 7 client pc to create the group policy, would it work on windows xp clients?

[scottzaiss]

The Windows XP machines only need a couple of clients installed. The Group Policy Client Side Extensions (KB943729) and an XML update (XML Lite?). Both were available through Windows Update over a year ago, so hopefully you should already have them.

[ender]

The preferences seems to be exactly what I am looking for. I have created a Test GPO using a Win7 machine and enabled a few preferences, and I am now trying to get it to apply to a Win Xp workstation I just installed what you linked, the extentions.

Right now the XP client doesn't not seem to receive the Test GPO that contains the preferences, but does receive other GPO's filterted to its OU. Running gpresult shows its not getting applied to it.

Anything else I should check for that might be required for a XP client to be able to see these policy preferences?

[cpqalve]

You also want to read this article

How to use Group Policy Preferences to Secure Local Administrator Groups
http://www.grouppolicy.biz/2010/01/h...trator-groups/

Cheers
Alex