Tuesday, February 24, 2009

Create a Restricted Groups policy in a security template


Your Company hired contractors to perform hardware refresh on all workstation for your company. Part of the assignment there has to be "Security group" created on the domain and this group needs to be added to "Local administrators group" on all workstations.

Your task is to get the work done.


Use restricted group's policy to perform the desired results

Prep work

  • Log into your domain controller
  • Create a group called "Local_Admins" *** this is the group we will add to each workstation into the administrators group***
  • Click Start run, type gpmc.msc
  • Under Domains your org, make right click and select (Perform the same steps from the OU, you wish to push the policies from. If you do it from the top of the domain, the GPO will apply to all computers, in this scenario we have OU called ***Migration_Computers*** and we are applying the GPO to this OU and all workstations placed under this OU.
  • Create GPO in this Domain, and link it here
  • Name the policy to *** Local_Admin_Policy*** or anything you like click ok
  • On the right pane right click and select "edit"
  • In the Group Policy MMC, browse as fallow below
  • Computer Configuration
  • Policies
  • Windows Settings
  • Security Settings
  • Restricted Groups
  • On the right pane right click new "Add group" click browse
  • Type ***administrators*** click ok,
  • Members of this group click add, browse, add the group you have created earlier **Local_Admins** click ok and apply
  • You are done go to one of the workstation , command prompt any type
  • Gpupdate /force hit enter
  • Check the administrators group to verify desired group has been added there.
  • ****WARNING**** if you paid attention the default domain administrators are gone from workstation administrators group, simply go back to restricted policy and include domain administrators group same way as the first one

Oz Ozugurlu
MVP (Exchange)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

1 comment:

Anonymous said...

Really good article! I have implemented this in my environment in the past.