Adding Network Configuration Operators through Active Directory??

[snufles]

I feel retarded for askin but I'm stumped...

I have certain users that are apart of the  NETWORK CONFIGURATION OPERATORS and REMOTE DESKTOP USERS built-in Windows 2003 Active Directory Groups.

By adding the Users to these Groups this has no effect. So what do I have to do within a GPO to apply these settings across a domain. I know I can locally do this to each computer but I need these Users to modify TCP/IP and Remote Desktop into every computer in the domain - so adding it locally is to much admin overhead.

XP workstations...2003 servers

[drivenbywhat]

I don't have my vm setup to AD right now to test this out but here are two ways of doing what you're trying.

First I don't think by adding your users to the mentioned groups in AD automatically adds them to those groups in the local pcs. So if you want to add your users to those groups via policy then the one you are looking for is called Restricted Groups. This will make sure they are put in the groups in the local pcs. It's under computer config/windows sets/security sets/.

The other way is to create a domain group and then using the delegation wizard to give it the rights you want them to have. Whether or not these rights exist you'll have to find out when you use the wizard.

Last but not least, no one knows the answer to everything so you shouldn't feel retarded for asking this. Asking questions, practicing and reading as much as material as you can is how you learn your craft. Bye.

[snufles]

Yea I already tried messing with the Restricted Groups in AD but no go...I'll try again today and reply back a little later. Thanks...

[snufles]

Delegation wizard doesn't offer what I need. That seems to only be for AD controls, such as creating/deleting GPO's, etc.

As for Restricted Groups...
 - Created a new GPO "TESTGPO" (Enforced it in the correct OU with the users/computers)
 - Withing "TESTGPO" I added the restricted group "Group1"
 - In the "Members of this Group" section I added "User1"
  - In the "This Group is a Member of" section there is no possible way to add AD Built-in groups
With that being said...How do I give "User1" the right to only modify TCP\IP on every computer in the domain?

Again, "Group1" is a member of the AD Built-in group "Network Configuration Operators" and "User1" is a member of "Group1". I've never had to mess with the security of a group but I added Authenticated Users with Full Control, nothing.

[drivenbywhat]

I think you're supposed to used Remote & Network groups in the GPO that you want restricted. Then you add members such as GROUP1 or USER1 into it. In this situation you don't have to worry about THIS GROUP IS A MEMBER OF. That is just for more granular control of what group it should or shouldn't belong to. We don't really need this because we already are specifying the Network Config group and its members in the first tab. Not sure if I made sense or not. But here's a quick summary:

You had restricted group being group1 > members user1 >

group is a member of > network config (which you found out can't be done)

So ...

Restricted group should be Network Config > members should be group1 or user1

no need for GROUP IS A MEMBER OF

Here is a link to a good article on restricted groups:

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

[snufles]

DRIVENBYWHAT I LOVE YOU

I knew it would be something simple I didn't try. Never even thought to add the Built-in groups to the Restricted Group GPO setting...don't ask me why. Probably would of never figured it out, considering I already had it in my head Built-in Groups couldn't be added there.
Thanks again...err I wish I had that intuition to just sit and figure these types of problems out. Overlooking something this simple is really frustrating. Not to mention, this is a setting that almost every Domain Admin should know and need.

SOLVED!

[drivenbywhat]

Glad I was able to help you out. Happy administrating.