Tag: Group Policy

How to Add AD user accounts or groups into the local Administrators group with GPO

How to use Restricted Groups?

( – or: How to Add AD user accounts or groups into the local Administrators group with GPO)

This article describes the feature “Restricted Groups” in Group Policy. This feature enables you – as the administrator – to configure group memberships on the client computers or member servers. You can add user accounts to groups on client machines that are in the scope of the policy.

As there are many questions about this in the newsgroups, I will come up with an example that shows how to put a group of Active Directory users into the local Administrators group on the clients.

For this article, I assume that you already created a global security group containing all users that shall become local Administrators on some client computers. In my example, the group is called “localAdmins”. The target (= client) computers reside in a specific OU.

If you’re using the Group Policy Editor, you navigate to the OU where the client computers reside and right-click it. Choose “Properties” and “Group Policy” where you create a new Policy and click “Edit”. You then navigate to:

Computer ConfigurationWindows SettingsSecurity Settings and then right-click “Restricted Groups” and choose “Add Group”.

You simply add the created group by clicking You simply add the created group by clicking “Browse..” or typing the group name into the box.

After clicking “OK”, another  window opens up, where you can find two boxes. The upper box, saying “Members of this group”, the lower one saying “This group is a member of”. In my case above I am adding a group called TechSupport.

If you added users or groups into the “Members of this group” box, you would advise the Restricted Groups feature to put the users and groups you selected into the localAdmins group. Restricted Groups would then replace the current members of the localAdmins group with the users and groups you filled into the box. Please understand that it replace them by wipeing existing users out of the local Admins group.

Since we do not want to add users or other groups to our existing group, but instead want to add a new  group to the local Administrators group on all of our clients, we have a look at the lower box – labeled “This group is member of”. We click “Add” and type in the name of the group that  we want  added to the localAdmins on each client. In this case, it’s “Administrators”. We then simply click “OK” and “Apply” and close all windows. “This group is member of” advices “Restricted Groups” to add our localAdmins group into the “Administrators” group of the clients. The existing group members will not be touched – it simply adds in this case  the TechSupport group to every clients local administrators group.

2011/09/16 | By | 3 Replies More

Adding the admx files from Office 2010 admin templates into your GPMC

I had to add some Outlook 2010 specific GPO’s this week and found the instructions available on the net weren’t quite adequate. So I thought I would explain the procedure I took to get it done.

First off, you will need to download the admin template files Get them here

The 32bit and 64bit admx files are identical.  You only need the different versions if you are using the Office Customization Tool (OCT)

The downloaded file is a self-extracting file. Just launch it and extract the file to a folder. Inside that folder will be an admx folder and the corresponding language files (in their own folders). There will also be an adm folder (these are the older style adm template files) and a admin folder (which you only need if your using OCT and don’t have the enterprise office install)

Now go to the folder C:windowssyvoldomainpolicies

Create a folder inside of policies folder called policydefinitions  and copy all the files from the admx folder that was created  from the extraction  and any language file folders you may need. The complete folder path will be C:windowssyvoldomainpoliciespolicydefinitions 

In my case I added all the office admx files and only the corresponding English languages.

admx locations

Close your group policy console if open and re-open it. As shown below, all of the Office 2010 admx template files will now show up under Administrative templates since it is retrieving them automatically from the central store.

policy

In this particular case I was adding a GPO to automatically check user spelling before sending emails.

spelling rule

That’s It. Now that wasn’t too difficult after all

2011/08/22 | By | 4 Replies More