This is a brain dump of something Alan Burchill and Lilia Gutnik presented at TechEd Australia 2009. It covers managing local administrators on your workstations using the power of Group Policy Preferences.
- Create a new GPO if necessary, link it to the OU where it needs to be applied
- Edit the new GPO, and go to Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups
- Right-click in the pane on the right, and select New, Local Group
- Set up the “New Local Group” as per below. I’ve got it removing all existing users and groups so that we can define everything we need using Group Policy. You add variables like %computername% by pressing F3 whilst the cursor is in a text entry field.
I also included the Description text that is shown on the default local Administrators group; "Administrators have complete and unrestricted access to the computer/domain”
- You also need to add a member called “domainname\%ComputerName%-Admins”. This will allow you to define a group in AD that can be used to assign local admin rights to a particular machine.
The good thing about this is that you only need to define groups for PCs that you wish to add local admins to, but all PCs that have the GPO applied are ready for this type of setup.
- You can also go into the Common tab and select “Remove this item when it is no longer applied”
- The last step is to create a Security Group in AD with the name {computername}-Admins. For example, if you have a computer named syd-60128, you create a group in AD called syd-60128-Admins. Adding users into that group will then make those users a local administrator for that particular PC.
- Do a “gpupdate” on the machine in question, and you should see the group’s membership change:
