For Windows users, the user account which the common agent runs under requires local administrative rights. Because these rights are not necessarily guaranteed for domain users in a Windows domain environment, this topic provides information on how to grant local administrative rights for domain users. Using this procedure, you do not have to manually process each machine in the domain.
To use Group Policy to grant local administrative privileges to a domain account, complete the following steps:
- On the domain controller, go to Administrative Tools > Active Directory Users and Computers (you must be running with Domain Administrator privileges).
- Right-click on the Organizational Unit (OU) upon which you want to apply the Group Policy. Click Properties
- The Group Policy Properties panel is displayed. Select the Group Policy tab and click New to create a new Group Policy.
- Designate a name for the new Group Policy. Select the new Group Policy and click Edit.
- The Group Policy Object Editor panel is displayed. Go to New Group Policy Object <your_policy> > Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right-click on Restricted Groups. Click Add Group.
- For example, name the new group "Administrators." Under "Properties", add the user "Administrator", and the domain accounts or groups upon which you want the Group Policy in effect for. For example, you can add "TPC\tapeadmin", "TPC\tapegroup", and "TPC\TestGroup". Click OK.
- Add these user rights to the domain account:
- Act as part of the operating system
- Log on as a service
- In the Group Policy Object Editor, go to New Group Policy Object <your_policy> > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments. In the right pane, select "Log on as a service" and double-click. Add the domain user for whom you are granting the user right for and click OK. Repeat this step for "Act as part of the operating system."
- The group policy is now enforced for the Organizational Unit to include the domain accounts and groups specified under the local Administrators group on each computer in the Organizational Unit. In addition, the domain user has been granted the necessary rights. To verify this, log into a domain computer and open the Computer Management console. Select Groups, double-click on the Administrators group, and verify the membership of the domain users.