We want to have our support and admin staff be able to
log onto our W2K desktops with full local administrator
rights. All other users needed to have a restricted
desktop environment. Also we need to be able to manage
these permission groups via AD. We do not want these
users to have Domain Admin rights.

Can anyone help please?

Hi Chris

You need to have all your workstations under a single OU. Then, ensure you
have a security group on the domain that has the correct membership for your
support and admin staff.

Then, create a new Group Policy object and set up a computer startup script
(Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) |
Startup

For name, use "net" and for parameters, use "localgroup administrators
domain\helpdesk /add"

This will execute the command "net localgroup administrators domain\helpdesk
/add" each time a machine affected by the policy boots.

Be aware that if a workstation falls out of scope of your GPO, the change
won't be removed from the machine.

There is a feature called "restricted groups" that behaves similarly, but
depending on OS and hotfix level it can either replace the existing
membership or add to it. The method outlined above is safer.

Hope this helps

Oli


"Chris" wrote in message
news:2c32501c469c4$b090c280$a601280a@phx.gbl...
> We want to have our support and admin staff be able to
> log onto our W2K desktops with full local administrator
> rights. All other users needed to have a restricted
> desktop environment. Also we need to be able to manage
> these permission groups via AD. We do not want these
> users to have Domain Admin rights.
>
> Can anyone help please?
>
>

You can use Restricted Groups to create a global group which has your users that can
be added to the local administrators group of computers in an Organizational Unit.
See the link below for details. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065

"Chris" wrote in message
news:2c32501c469c4$b090c280$a601280a@phx.gbl...
> We want to have our support and admin staff be able to
> log onto our W2K desktops with full local administrator
> rights. All other users needed to have a restricted
> desktop environment. Also we need to be able to manage
> these permission groups via AD. We do not want these
> users to have Domain Admin rights.
>
> Can anyone help please?
>
>

Unfortunatly my original statement was not quite correct,
we do have a number a users who require local admin
rights to run some applications. Restricted group access
removes all other members of that group, so this would
not quite fit the requirement.

Thanks for the help, any other suggestions?

>-----Original Message-----
>You can use Restricted Groups to create a global group
which has your users that can
>be added to the local administrators group of computers
in an Organizational Unit.
>See the link below for details. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=KB;EN-
US;Q320065
>
>"Chris" wrote in
message
>news:2c32501c469c4$b090c280$a601280a@phx.gbl...
>> We want to have our support and admin staff be able to
>> log onto our W2K desktops with full local administrator
>> rights. All other users needed to have a restricted
>> desktop environment. Also we need to be able to manage
>> these permission groups via AD. We do not want these
>> users to have Domain Admin rights.
>>
>> Can anyone help please?
>>
>>
>
>
>.
>

The "net localgroup" command would have been perfect, but
unfortunatly the group we wish to add with the domain
name is longer than 28 characters. The command fails
with a syntax error.

Other than changing the name any further suggestions
would be greatly appreciated.

Cheers.

>-----Original Message-----
>Hi Chris
>
>You need to have all your workstations under a single
OU. Then, ensure you
>have a security group on the domain that has the correct
membership for your
>support and admin staff.
>
>Then, create a new Group Policy object and set up a
computer startup script
>(Computer Configuration | Windows Settings | Scripts
(Startup/Shutdown) |
>Startup
>
>For name, use "net" and for parameters, use "localgroup
administrators
>domain\helpdesk /add"
>
>This will execute the command "net localgroup
administrators domain\helpdesk
>/add" each time a machine affected by the policy boots.
>
>Be aware that if a workstation falls out of scope of
your GPO, the change
>won't be removed from the machine.
>
>There is a feature called "restricted groups" that
behaves similarly, but
>depending on OS and hotfix level it can either replace
the existing
>membership or add to it. The method outlined above is
safer.
>
>Hope this helps
>
>Oli
>
>
>"Chris" wrote in
message
>news:2c32501c469c4$b090c280$a601280a@phx.gbl...
>> We want to have our support and admin staff be able to
>> log onto our W2K desktops with full local administrator
>> rights. All other users needed to have a restricted
>> desktop environment. Also we need to be able to manage
>> these permission groups via AD. We do not want these
>> users to have Domain Admin rights.
>>
>> Can anyone help please?
>>
>>
>
>
>.
>

Oli's suggestion would be your other option by using the net localgroup command in a
startup script. --- Steve

"Chris" wrote in message
news:2ce7d01c46a81$3a010f90$a601280a@phx.gbl...
> Unfortunatly my original statement was not quite correct,
> we do have a number a users who require local admin
> rights to run some applications. Restricted group access
> removes all other members of that group, so this would
> not quite fit the requirement.
>
> Thanks for the help, any other suggestions?
>
> >-----Original Message-----
> >You can use Restricted Groups to create a global group
> which has your users that can
> >be added to the local administrators group of computers
> in an Organizational Unit.
> >See the link below for details. --- Steve
> >
> >http://support.microsoft.com/default.aspx?scid=KB;EN-
> US;Q320065
> >
> >"Chris" wrote in
> message
> >news:2c32501c469c4$b090c280$a601280a@phx.gbl...
> >> We want to have our support and admin staff be able to
> >> log onto our W2K desktops with full local administrator
> >> rights. All other users needed to have a restricted
> >> desktop environment. Also we need to be able to manage
> >> these permission groups via AD. We do not want these
> >> users to have Domain Admin rights.
> >>
> >> Can anyone help please?
> >>
> >>
> >
> >
> >.
> >

Damn. I don't know of a way around that. You might want to try posting to
somewhere like microsoft.public.win2000.cmdprompt.admin or
microsoft.public.scripting.wsh in case there is another method for doing
that.

I'm not sure if you could do something with group nesting and use a shorter
name for the new group.

Regards

Oli


wrote in message
news:2d8bb01c46a82$25324240$a401280a@phx.gbl...
> The "net localgroup" command would have been perfect, but
> unfortunatly the group we wish to add with the domain
> name is longer than 28 characters. The command fails
> with a syntax error.
>
> Other than changing the name any further suggestions
> would be greatly appreciated.
>
> Cheers.
>
>>-----Original Message-----
>>Hi Chris
>>
>>You need to have all your workstations under a single
> OU. Then, ensure you
>>have a security group on the domain that has the correct
> membership for your
>>support and admin staff.
>>
>>Then, create a new Group Policy object and set up a
> computer startup script
>>(Computer Configuration | Windows Settings | Scripts
> (Startup/Shutdown) |
>>Startup
>>
>>For name, use "net" and for parameters, use "localgroup
> administrators
>>domain\helpdesk /add"
>>
>>This will execute the command "net localgroup
> administrators domain\helpdesk
>>/add" each time a machine affected by the policy boots.
>>
>>Be aware that if a workstation falls out of scope of
> your GPO, the change
>>won't be removed from the machine.
>>
>>There is a feature called "restricted groups" that
> behaves similarly, but
>>depending on OS and hotfix level it can either replace
> the existing
>>membership or add to it. The method outlined above is
> safer.
>>
>>Hope this helps
>>
>>Oli
>>
>>
>>"Chris" wrote in
> message
>>news:2c32501c469c4$b090c280$a601280a@phx.gbl...
>>> We want to have our support and admin staff be able to
>>> log onto our W2K desktops with full local administrator
>>> rights. All other users needed to have a restricted
>>> desktop environment. Also we need to be able to manage
>>> these permission groups via AD. We do not want these
>>> users to have Domain Admin rights.
>>>
>>> Can anyone help please?
>>>
>>>
>>
>>
>>.
>>