Tuesday, December 12, 2006

Restricted Groups with Windows Server 2003 Group Policy

Obviously, someone somewhere needed the ability to add a group of domain users (other than the Domain Admins) to the local administrators group. I was tasked with the challenge of using Group Policy to accomplish this very goal.

I read a ton of material on the subject, including:
Microsoft – http://support.microsoft.com/kb/279301
Computer Performance (I love this site) - http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_restricted_group.htm
Windows Server 2003 Group Policy book - http://www.amazon.com/Microsoft-Windows-Group-Policy-Pro-One-Offs/dp/0735622175/sr=8-1/qid=1165976531/ref=pd_bbs_sr_1/002-8424295-6146452?ie=UTF8&s=books
Windows Security - http://www.windowsecurity.com/articles/Increasing-Security-Limited-User-Accounts-Restricted-Groups.html
Microsoft.Public.Windows.msi Google Group (I found this as a link in the Windows Security site above) - http://groups-beta.google.com/group/microsoft.public.windows.msi/browse_thread/thread/3bfaf8d52a0f8650/2a6c9d07514c3d18?q=group+policy+local+administrator&_done=%2Fgroups%3Fq%3Dgroup+policy+local+administrator%26start%3D20%26hl%3Den%26lr%3D%26&_doneTitle=Back+to+Search&&d#2a6c9d07514c3d18

The last one is the one that finally provided the most complete instructions for how to add a security group from Active Directory to the Local Administrators of a domain member server or workstation. Hopefully, this will serve as a reminder of how to do this correctly for me and help someone that is having same problem I was. Incidentally, I have done this for a smaller group of machines using security filtering and placed them into the Power Users group.
I am assuming no liability for anything that is attempted by the reader as it concerns to anything that I have written. I am assuming many things and still more such as, domain admin, GPMC, etc.

Instructions Begin Here:
1. From a Windows Server 2003 member server or a Windows 2000/XP workstation, open the GPMC. Right-click on the policy and click edit.
2. Navigate to Computer Settings\Windows Settings\Security Settings\Restricted Groups.
3. Right-Click the Restricted Groups icon and select Add Group…
4. When the dialog box opens, select Browse, change the “Location” by clicking the “Locations” button and select the name of the local machine and Click OK
5. Choose the appropriate local group that you are trying to add members to (such as administrators or power users) and click OK
6. Click OK again.
7. When the next dialog box appears it will contain 2 sections name ‘Members’ and ‘Members Of’
8. Click on the Add button next to ‘Members’ and select the group from the domain that should be the local administrators
9. Click OK and OK again.

When the policy is processed (depending on your environment) and the machine is rebooted the group should be members of the local administrators group.
The domain group will appear in Computer Management for the client under Groups->Administrators.