As I said on my previous post titled "3 ways to grant “Local Admin” permissions to Domain Users":
There are 2 ways to use Restricted Groups.
- The first way simply adds New Users along the pre-existing Local Administrators Users (within the (Local) "Administrators"-Group).
- The second way resets (ie. deletes/wipes) ALL the pre-existing Local Administrators Users off the (Local) "Administrators"-Group. Hope that makes sense.
For further details regarding the first way (also referred to as Restricted Groups), please refer to the linked article linked on my first paragraph (above).
In this post I will show you how to deploy Secure Restricted Groups (the second way).
Secure Restricted Groups.
Secure Restricted Groups happens to be more secure, but it is also disruptive at the same time.
It is more secure because it removes all the pre-existing (Local/Domain) Users from the (Local) "Administrators" Group (in case sneaky software tricks your Local Admin Users).
It is disruptive because it removes all the pre-existing (Local/Domain) Users from the (Local) "Administrators" Group (that's not an error).
Worst case scenario - you lose Administrative access to your Windows PC(!).
The second way to use Restricted Groups to grant Local Administrator Permissions could be more confusing to implement (especially if you now know how to implement the first way), because the order of the Users and Groups is reverted.
Secure Restricted Groups requirements.
The Secure Restricted Groups requirements are the same as the Restricted Groups:
- An Active Directory Domain (SBS or Windows Server 2000+ based).
- A "Domain Group" whom to grant Local Administrator permissions.
(In this post I will assume your Domain Group is "G_HomeAdmins").
- Group Policy.
Secure Restricted Groups on your workstations - automatically.
- Wipe clean your workstations' (Local) "Administrators"-Group first.
- Then force only the Users of your choice as members of the (Local) "Administrators"-Group.
- Fully automate the above 2 bullet points.
On your Domain Controller Server or from your RSAT management console,
- Browse to Administrative Tools -> Group Policy Management –> Locate your Computers OU (ie. “HeadOffice Workstations”) -> R-Click on your Computers OU & "Create GPO & Link it here" (name it, say, “HeadOffice Workstations Secure Local Admins”).
- On the Group Policy Management Editor, Expand:
+ “Windows Settings”.
+ “Security Settings”.
+ “Restricted Groups”.
- On the Right pane of “Restricted Groups”, Right click and Select "Add Group...".
- To provide Local Admin Permissions ONLY to the Group of your choice, here TYPE (or copy-paste) "Administrators".
- A new "Administrators Properties"-window will popup.
IGNORE/Skip the second text box area (where it says "This group is a member of:").
From http://support.microsoft.com/kb/279301 :"any current member of a restricted group that is not on the "Members [of this group]" list is removed with the exception of administrator in the Administrators group. Any user on the "Members [of this group]" list which is not currently a member of the restricted group is added".
- On the New Widow, Click on "Browse...", locate (or copy-paste) "Domain Admins" (ie. the Group you wish to attach Local Admin Creds to) and Click on the Ok-button to confirm.
- Run an admin cmd & "gpupdate /force".
- REBOOT the Target Computer(s) belonging to the (GPO-linked) OU.
Step No.6 is were you actually grant Local Admin permissions to the Domain Admins.
That'll delete all the Workstation's (Local) "Administrators" Members first,
then it'll ADD "Domain Admins" to the "Administrators" Group.
Next I will show you how Alan's article has "worked" for me.