Domain users are automatically joined to the local Administrators group in Windows Server in AD DS environment

Meet the small number of partners, you will find that the needs of small partners are all kinds of, just like the client joins the domain, some customers are required to join the domain, the employee's domain account is automatically added to the local Administrators group, as well as customer requirements, after domain membership, this employee's domain account can only be limited to the normal user, You cannot have any extra permissions, including modifying the network configuration, and so on. Well, the needs of the user are justified. Next, let's take a look at how to join the domain and automatically join the local Administrators group.

Our Server01 is a domain controller, and then find a Win8.1 to do the client, as to how to upgrade the domain controller, here is no longer described, online data a lot. As for adding domain users to the local Administrators group, use the following: "Local Users and Groups" in the User Configuration preferences. Used to automatically join a login account to the local Administrators group. Or, use Computer Configuration preferences, Local Users and groups, to join the critical domain Group to the client local Administrators group.

Let's look at the specific settings:

Enables user Configuration preferences "Local Users and Groups" to automatically join the login account to the local Administrators group

Log on to the domain controller, open a domain-based policy-----User Configuration---Preferences---Control Panel settings---Local Users and groups, as shown in:

650) this.width=650; "height=" 453 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/6D/DE/ Wkiom1vtr63ifseiaahyno9ym8s558.jpg "border=" 0 "/>

In the right margin, create a new local group, as shown in:

650) this.width=650; "height=" 386 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/6D/DE/ Wkiom1vtr63jr-ptaaeie3m8ic0851.jpg "border=" 0 "/>

Select Create a new local group because you want to modify the local group information on the client computer.

650) this.width=650; "height=" 569 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/6D/DA/ Wkiol1vtsuetmuusaafwxrlh1qg220.jpg "border=" 0 "/>

The update in the action represents updating the members of the domain client Administrators group, not the new group; Add current user means adding the domain account at login to the local Administrators group of the client system, as long as the domain account is logged in, add it to the local Administrators group, You can also select Delete all member users on the right, or delete all member groups, which means that when the currently logged-on user is added to the local Administrators group, the other member users or groups are removed to dynamically join the Administrators group, that is, always keep the most recently logged-on user in the Administrators group. Other users are removed, but be aware that. Here we do not choose, first look at the effect.

We log on to the Win8.1 to see if the current user has joined the Admins group, and note that since I am here in a real POC environment for the customer, I have put some sensitive information into the mosaic.

650) this.width=650; "height=" 287 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/6D/DE/ Wkiom1vtr67rjkgaaabynsjiifi258.jpg "border=" 0 "/>

After the successful login, we go to open the Local users and groups of this client, double-click Open Administrators group, you can see the following interface, sensible people do not elaborate:

650) this.width=650; "height=" 353 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/6D/DE/ Wkiom1vtr67ynmf1aagkhe5iddo767.jpg "border=" 0 "/>

The experiment was successful! At this time, this login with the memory is the administrator, the permissions greatly, what modify network configuration, install software, uninstall software, modify the system configuration, all are Zhang Fei eat bean sprouts! If you want to keep only the current user and delete other users, the actions shown are as follows:

650) this.width=650; "height=" 576 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/6D/DE/ Wkiom1vtr67bzvcqaahppcmhi3m485.jpg "border=" 0 "/>

Of course, you don't have to be as miserable as I did in the picture, Domain Admins can still be preserved. Then, the client logs back on again and opens Adminstrators view as shown in:

650) this.width=650; "height=" 484 "title=" image "style=" Border:0px;padding-top:0px;padding-right:0px;padding-left : 0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/6D/DE/ Wkiom1vtr67dkiieaadkfxezq3e220.jpg "border=" 0 "/>

However, note that this scenario is only suitable for Win7 and later operating systems, such as xp/2003, such as the need to install plug-ins to use the "preferences" function,: https://technet.microsoft.com/zh-cn/library/cc731892 ( ws.10). aspx

It is estimated that we can not use, after all, are already two retired products. Another point is that if you want to add a group to the local Administrators group, we recommend that you use the Local Users and Groups feature under Computer Configuration.

This article is from the "Duffy" blog, make sure to keep this source http://dufei.blog.51cto.com/382644/1657656

Domain users are automatically joined to the local Administrators group under the Windows Server AD DS Environment