(GPO) Set AD-User as local admin on all PCs in specific OU
You add local admins with Restricted Groups, which is in Computer Configuration. Therefore you can by definition add this GPO for the OU containing the computers you want it to affect.
- Add a new Group Object in your AD, e.g.
DOMAIN\Local Admins
Its container is not relevant. - Add a new GPO "Local Admins" and link it to the
OU=PC
. - In Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups, Add Group
DOMAIN\Local Admins
- Add to This group is a member of groups:
Administrators
&Remote Desktop Users
.
If you use different language versions of Windows the administrative group names can be different. In multilingual environments you can refer to these generic groups by their security identifiers (SIDs):
-
S-1-5-32-544
forAdministrators
-
S-1-5-32-555
forBUILTIN\Remote Desktop Users
Related videos on Youtube
Mr. Buttons
Still very new to stackoverflow, and just a bit of experience in C#, Sqlite and batch
Updated on September 18, 2022Comments
-
Mr. Buttons almost 2 years
In my AD I have these two OU's: OU PC and OU User. There are a few users in the OU "Users" and several machines in the OU "PC". I now need to write a GPO for one of these users which will automatically add him to the "local administrator group" on all of these machines - which either already are in that OU "PC", or will be added in the future. Of course I could set him as a local admin manually on all of these PC's, but I need it to do that automatically.
Is there an option or a way to do that using a GPO?
Greetings!
-
Mr. Buttons about 7 yearsThank you! I have a question: If I add the Group "Local Admins" to the Group "Administrators", dosen't the members of the group "Local Admins" then become domain administrators? They are only meant to have the local administrator rights on all machines that are in the OU "PC" and not on a single other PC in the domain.
-
Esa Jokinen about 7 yearsThe Restricted Groups exists exactly to prevent that! You don't add the group into
Administrators
AD group. The GPO adds the group to the builtinAdministrators
group on every single computer the GPO is applied to. Then, you can add moreLocal Admins
to that group and they will have administrative rights on target computers without waiting for the Group Policy refresh interval.