This is a brain dump of something Alan Burchill and Lilia Gutnik presented at TechEd Australia 2009. It covers managing local administrators on your workstations using the power of Group Policy Preferences.
Edit – 08/05/2014: Apologies if this article’s a little confusing. It was intended as a brain dump for future reference, not really as a step-by-step guide.
My synopsis of it is this:
You want to dynamically control the members of the local Administrators group on specific PCs while still allowing you to manually edit the group on the local PC and add/remove members.
Once this policy is in place, all you need to do in the future is create domain groups that conform to the naming standard
“<computername>-Admins”, and it will be added to the local Administrators group on that PC.
- Create a new GPO if necessary, link it to the OU where it needs to be applied
- Edit the new GPO, and go to Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups
- Right-click in the pane on the right, and select New, Local Group
- Set up the “New Local Group” as per below. I’ve got it removing all existing users and groups so that we can define everything we need using Group Policy.In the screenshot below, we’re using the variable %computername% to ensure that the existing “Administrator” account on each computer is always added back into the group by this policy.You add variables like %computername% by pressing F3 whilst the cursor is in a text entry field.
- You also need to add a member named “%DomainName%%ComputerName%-Admins”.
This will allow you to later-on define a group in AD that can be used to assign local admin rights to a particular machine.
- The last step is to create a Security Group in AD with the name “<computername>-Admins”. For example, if you have a computer named syd-60128, you create a group in AD called “syd-60128-Admins”. Adding users into that group will then make it’s members administrator for that particular PC.
- Do a “gpupdate” on the machine in question, and you should see the group’s membership change: