(GPO) Set AD-User as local admin on all PCs in specific OU

active-directory group-policy organizational-unit
16,661

You add local admins with Restricted Groups, which is in Computer Configuration. Therefore you can by definition add this GPO for the OU containing the computers you want it to affect.

  1. Add a new Group Object in your AD, e.g. DOMAIN\Local Admins Its container is not relevant.
  2. Add a new GPO "Local Admins" and link it to the OU=PC.
  3. In Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups, Add Group DOMAIN\Local Admins
  4. Add to This group is a member of groups: Administrators & Remote Desktop Users.

If you use different language versions of Windows the administrative group names can be different. In multilingual environments you can refer to these generic groups by their security identifiers (SIDs):

  • S-1-5-32-544 for Administrators
  • S-1-5-32-555 for BUILTIN\Remote Desktop Users
Share:
16,661

Related videos on Youtube

Mr. Buttons
Author by

Mr. Buttons

Still very new to stackoverflow, and just a bit of experience in C#, Sqlite and batch

Updated on September 18, 2022

Comments

  • Mr. Buttons
    Mr. Buttons almost 2 years

    In my AD I have these two OU's: OU PC and OU User. There are a few users in the OU "Users" and several machines in the OU "PC". I now need to write a GPO for one of these users which will automatically add him to the "local administrator group" on all of these machines - which either already are in that OU "PC", or will be added in the future. Of course I could set him as a local admin manually on all of these PC's, but I need it to do that automatically.

    Is there an option or a way to do that using a GPO?

    Greetings!

  • Mr. Buttons
    Mr. Buttons about 7 years
    Thank you! I have a question: If I add the Group "Local Admins" to the Group "Administrators", dosen't the members of the group "Local Admins" then become domain administrators? They are only meant to have the local administrator rights on all machines that are in the OU "PC" and not on a single other PC in the domain.
  • Esa Jokinen
    Esa Jokinen about 7 years
    The Restricted Groups exists exactly to prevent that! You don't add the group into Administrators AD group. The GPO adds the group to the builtin Administrators group on every single computer the GPO is applied to. Then, you can add more Local Admins to that group and they will have administrative rights on target computers without waiting for the Group Policy refresh interval.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

GPO WMI filter not excluding computers
How do you override a GPO with another GPO?
Trouble getting GPO logon script to run using Active Directory Domain Services
Setting disk quotas with Active Directory
Windows 10 Hello on domain-joined computer - Credentials could not be verified
Active Directory Allow User to Install Only
GPO only works on authenticated users
Can I check what policies are being applied to a particular security group in ADUC?
Remove delete permission for active directory group in Microsoft 2008 Server R2
AD DC - Group Policy Event ID 1055