Really need help with this.
I need to allow someone else to be administrator for client computers and servers but not for domain controller.
I was able to do that but whatever I do that user is allways part of administrators group and can logon to DC, create OU etc.
Steps
- create domain user (TestAdmin)
- create group (LocalAdmins)
- add user to group (then make group primary and remove user from Domain Users group)
- create GPO (gpoLocalAdmin)
- edit policy (Windows Settings->Security Settings->Restricted Groups) new group -> select -> LocalAdmins
- This group is member of (select -> administrators)
- gpupdate
This policy is not deployed to domain controlers (different OU) but TestAdmin can logon and administer domain.
How to fix this.
Thanks
Best Answer
First off, unless you have a really good reason, don't remove this user from
Domain Users. Also, there is almost never a reason to change the primary group. IIRC this setting exclusively applies to POSIX applications, and has no bearing whatsoever on anything security related.That aside, you have the right idea here. Add a domain user to a domain group, then use Group Policy to add the domain group to the local Administrators groups. You went wrong in step 5, where you have the group membership reversed.
In effect, what you just asked GP to do is "take a domain group and add it to the local administrators group. This sounds correct, but look a bit closer and realize which element you're asking Group Policy to modify - in this case, you're asking it to modify the domain group by adding it to the local group, which will never work. Since Group Policy is always processed on client systems, you can't ever modify domain accounts, you can only modify local accounts.
To get this working correctly, you need to ask group policy to modify the local group by adding the domain group to it. To do this, open Restricted Groups, and start by selecting the Administrators group on the local system (don't worry, it will work for the corresponding group on any system):
Then, modify it by adding the domain group as a member: