Managing Local Admins using GPP

This is a brain dump of something Alan Burchill and Lilia Gutnik presented at TechEd Australia 2009. It covers managing local administrators on your workstations using the power of Group Policy Preferences.

Edit – 08/05/2014: Apologies if this article’s a little confusing. It was intended as a brain dump for future reference, not really as a step-by-step guide.

My synopsis of it is this:

You want to dynamically control the members of the local Administrators group on specific PCs while still allowing you to manually edit the group on the local PC and add/remove members.

Once this policy is in place, all you need to do in the future is create domain groups that conform to the naming standard
“<computername>-Admins”, and it will be added to the local Administrators group on that PC.

Please also have a look at Alan Burchill’s article on the topic. He’s a Group Policy guru, so go and have a good look at his blog while you’re at it.

    1. Create a new GPO if necessary, link it to the OU where it needs to be applied
    2. Edit the new GPO, and go to Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups
      gpp_1
    3. Right-click in the pane on the right, and select New, Local Group
    4. Set up the “New Local Group” as per below. I’ve got it removing all existing users and groups so that we can define everything we need using Group Policy.In the screenshot below, we’re using the variable %computername% to ensure that the existing “Administrator” account on each computer is always added back into the group by this policy.You add variables like %computername% by pressing F3 whilst the cursor is in a text entry field.
      gpp_2
    5. You also need to add a member named “%DomainName%%ComputerName%-Admins”.

      This will allow you to later-on define a group in AD that can be used to assign local admin rights to a particular machine.

      The good thing about this is that you only need to define groups for the PCs that you wish to add local admins to, but all PCs that have the GPO applied are ready for this type of setup.gpp-3

    6. The last step is to create a Security Group in AD with the name “<computername>-Admins”. For example, if you have a computer named syd-60128, you create a group in AD called “syd-60128-Admins”.

      Adding users into that group will then make it’s members administrator for that particular PC.

    7. Do a “gpupdate” on the machine in question, and you should see the group’s membership change:gpp-5

7 thoughts on “Managing Local Admins using GPP

  1. Thanks for this. Helped me set up a GPO to add a new AD group to local admins on each computer without overwriting what is already in the Administrators group (which is what restricted groups does if I understand correctly).

    Like

  2. GPP Not Working

    I have a windows XP laptop that i am using to test with. I have the permissions set to apply to domain computers but it is not applying properly.

    Like

  3. Hi Daniel, thanks a lot for this article. My question(s) is in reference to your reply to Paul about using “Restricted Groups”.

    1.What’s the difference(s) between doing it the Restricted Group way and doing it the way in the article?
    2. Can you please explain the “Common Tab” option – “Remove this option when it is no longer applied”

    Thanks

    Like

    • Hi Staj.

      Restricted groups work well, but this method can be a little more “dynamic” (and also more troublesome)

      The reason I use it is so that I can have a single policy in place, and then create groups on demand for each PC. As soon as I create a group called “{whatever the computername is} local admins”, and put users in it, the GPP will make those users local administrators on that PC only. If you used restricted groups to do this, you’d need to create a separate policy per PC.

      The other part, remove when no longer applied, will undo the policy when it no longer applies. For example if you remove the user from the group, or remove the group from AD, the policy’s changes will be reversed.

      Another area you’ll see that same concept applied is in GP software deployment. You can roll back the installation if it no longer applies – if the policy no longer applies to that user or computer.

      Like

  4. Pingback: Jak nastavit v domén? uživatele jako lokálního administrátora | Organiza?ní kancelá? Znojmo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s