none
Add builtin group Interactive to the builtin group Administrators through Group Policy?

    Question

  • Is there a Group Policy incantation that allows me to add the builtin group Interactive to the builtin group Administrators on select computers? Seems as if Group Policy Preferences are only able to add domain groups and accounts, not local ones.
    Monday, November 04, 2013 11:57 AM

Answers

  • it looks a little like this:


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Molotch Tuesday, December 10, 2013 9:09 AM
    Tuesday, November 05, 2013 11:27 PM
  • I think the problem is you aren't connected to the forest but the local computers security policy. If I do I have the built-in security principals to choose from, but I can't add them to the forest policy.

    Are you really sure you have managed to add built-in security principals in the forest policy, your screenshots show the security policy of your local computer (wrkstn01)?

    Thanks for the effort:

    Yes, we have this implemented and working for some years now.
    Local GP doesn't offer GPP within GPMC/GPME.
    Because the BUILTIN\INTERACTIVE principal is an implicit group, with a non-domain context, it can only be referenced by the object picker if you set the scope to the "computer".

    EDIT: sequence of steps, which works for me, in Win7+RSAT

    [if needed, create a new GPO within GPMC]
    Open a GPO within GPME
    Expand: Computer Configuration -> Preferences -> Control Panel Settings
    Select: Local Users and Groups
    Right-click: Local Users and Groups [the context menu opens]
    Select: New -> Local Group ["New Local Group Properties" window opens]
    Click the "Group Name" drop-down arrow [not the ellipsis ...]
    Select "Administrators (built-in)"
    Click the "Add..." button ["Local Group Member" window opens]
    Click the ellipsis [...] button for Member Name [the "Select User, Computer, or Group" object picker window opens]
    Click the "Locations" button, and select the local computer object [not your domain]
    [NB: the "Select this object type" options will change to be "User, Group, or Built-in security principal"]
    [NB: the "From this location" option will change to be the local computer name]
    Click inside the "Enter the object name to select" field
    Type: interactive
    Click "Check Names" [the object name will be resolved to "INTERACTIVE"]
    Click OK to close the object picker window
    [Local Group Member:Name, is now resolved/validated as "BUILTIN\INTERACTIVE"]
    Click OK to close the "Local Group Member" window
    [New Local Group Properties:Members, now shows "BUILTIN\INTERACTIVE | ADD | S-1-5-4"

    Click OK to close the "New Local Group Properties" window and commit the change into the GPO.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    Wednesday, November 06, 2013 7:58 PM
  • Here are the steps for creating a group policy to make NT AUTHORITY\INTERACTIVE a local admin on all domain joined workstations (not servers).

    1. Create a policy called "Workstation Local Admins" or whatever you like.  It's important that you do not link the policy to the domain level or any OU's at this point, or else your settings will not be limited to just workstations.
    2. Edit the policy and browse to Computer Configuration > Preferences > Control Panel Settings > Local users and Groups.
    3. Right-click on Local users and Groups and select New > Local Group.
    4. Set the Action to Update.
    5. Click the "Group Name" drop-down and select "Administrators (built-in)" option.
    6. Click the Add button and enter "NT AUTHORITY\INTERACTIVE" (without the quotes) in the Name field and make sure the Action field is set to "Add to this group".
    7. Click OK.  The policy is now created.  Now you need to limit it to only apply to workstations.
    8. Right-click WMI Filters and select New.
    9.  Name the Filter "Workstations Only" (without the quotes).
    10. Click the Add button.  You should see root\CIMv2 in the Namespace.
    11. Enter "Select * from Win32_ComputerSystem where DomainRole = 1" (without the quotes) in the Query field.  The DomainRole = 1 means that this will only apply to workstation operating systems.
    12. Click OK and then click Save.  The WMI query is now created, but you still need to apply it to the group policy you just created.
    13. Click on you group policy once again and select the Workstations Only WMI filter from the WMI Filtering drop-down at the bottom of the screen.
    14. Now just link your policy to the domain by right clicking on your domain in GPO and selecting "Link and Existing GPO and it will apply to all workstations in the domain.  If that's too broad and you want to limit it to an OU, Just link it to the OU that you want to target.  You can either leave Authenticated Users in the Security Filtering field or change it to Domain Computers or any other group.  Remember that this is a computer policy, so it will only apply to Computer accounts regardless of which option you choose.
    15. Wait for replication to occur, run gpupdate /force on a PC and after you refresh your Local Users and Groups on your PC you should see NT AUTHORITY\INTERACTIVE (S-1-5-4) in your group membership list on the PC.  You'll also notice that if you go to a server and run gpupdate /force that it will not get populated with the interactive account.

    I just created this doc while walking through the process on a couple of my domains and it works just fine every time I do it.  The nice thing is that it doesn't wipe out any of the existing group memberships that are on a PC, and users can add their own memberships as well without having them reset.  That's a common issue/problem when using GPO's Restricted Group policy method.

    • Edited by Telemaster Wednesday, December 04, 2013 9:46 PM
    • Marked as answer by Molotch Tuesday, December 10, 2013 9:08 AM
    Wednesday, December 04, 2013 9:42 PM
  • Thank you to everyone who posted in this thread, especially DonPick who made a superhuman effort, with images and everything. =)

    I finally solved it, I still got the error 0x80070534 ie SID translation failed when I tried Telemaster's guide. Happened to notice "NT AUTOHRITY\INTERACTIVE" is named "NT instans\Interaktiv" on our computers, changed the account name in the GPO and it applies without errors.

    We deploy the english Windows 7 version on all our workstations and apply a swedish language pack on top of that. Maybe I should have noticed earlier. Thanks again.

    • Marked as answer by Molotch Tuesday, December 10, 2013 9:08 AM
    Tuesday, December 10, 2013 9:08 AM

All replies

  • > Seems as if Group Policy Preferences are only able to add
    > domain groups and accounts, not local ones.
     
    That's correct. Please give more detail on what you want to achieve -
    there are other possibilities using Group Policy Preferences "local
    users and groups". (e.g. adding the current user to the local
    administrators...)
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, November 04, 2013 2:38 PM
  • Well, I would like to add the local interactive users group to the local administrator group. I want only locally logged on users to be administrators on a few of our computers, and only when they´re logged on.

    We have some service accounts for installationservices which are added to the local administrator group through GPP:s, I don't want them to be affected.

    Monday, November 04, 2013 2:57 PM
  • Group Policy Preferences can add local accounts and groups... Type it in the format of  COMPUTERNAME\GROUPNAME and it will add the local group.

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Tuesday, November 05, 2013 2:08 AM
  • You *can* add INTERACTIVE into LocalAdmins via GPP, that's what we do.

    I'm not at work just now so can't verify, but I think we specified BUILTIN\INTERACTIVE


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, November 05, 2013 7:32 AM
  • @Don

    I'd be very grateful if you could verify the name you apply in the GP to get Interactive. I've tried BUILTIN\Interactive and NT AUTHORITY\Interactive and both give me the error 0x80070534 with the explanation:

    Inställningsobjektet dator Administrators (built-in) i grupprincipobjektet Accounts - Interactive User Local Admin {40B2650A-C7D9-47B7-9593-DC4BEBC7DE89} tillämpades inte eftersom det misslyckades med felkoden 0x80070534 Det har inte gjorts någon mappning mellan kontonamn och säkerhets-ID.%%100790273

    Which roughly translates to:

    The setting object Administrators (built-in) in the group policy Accounts - Interactive User Local Admin {40B2650A-C7D9-47B7-9593-DC4BEBC7DE89} was not applied because it failed with the error code 0x80070534. No mapping between account name and security-id.%%100790273 have been made. 

    Same error for both BUILTIN\Interactive and NT AUTHORITY\Interactive.

    @Alan

    I tried adding %computername%\Interactive and got the same error as above. I also tried a language localized version of the group name Interaktiv with the same result.

    Tuesday, November 05, 2013 10:23 AM
  • it looks a little like this:


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Molotch Tuesday, December 10, 2013 9:09 AM
    Tuesday, November 05, 2013 11:27 PM
  • My "Select User or Group" popup don't show "User, Group or Built-In security principal" below "Select this object type". It just says "User or Group", the only other object type available is Computer, but there's no obvious way to select Built-In security principals.

    From Location the domain is the top node.

    Wednesday, November 06, 2013 8:13 AM
  • My "Select User or Group" popup don't show "User, Group or Built-In security principal" below "Select this object type". It just says "User or Group", the only other object type available is Computer, but there's no obvious way to select Built-In security principals.

    From Location the domain is the top node.


    Hmm, my example is from a workstation (win7) which has RSAT installed.
    Is the OS of your machine older?
    From memory, on WS2003 etc you need to select "Computer" in the "Object Types" picker, *and* then manually type in BUILTIN\INTERACTIVE, and click "Check Names" to validate it.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, November 06, 2013 9:40 AM
  • I think the problem is you aren't connected to the forest but the local computers security policy. If I do I have the built-in security principals to choose from, but I can't add them to the forest policy.

    Are you really sure you have managed to add built-in security principals in the forest policy, your screenshots show the security policy of your local computer (wrkstn01)?

    Thanks for the effort:

    Wednesday, November 06, 2013 4:02 PM
  • I think the problem is you aren't connected to the forest but the local computers security policy. If I do I have the built-in security principals to choose from, but I can't add them to the forest policy.

    Are you really sure you have managed to add built-in security principals in the forest policy, your screenshots show the security policy of your local computer (wrkstn01)?

    Thanks for the effort:

    Yes, we have this implemented and working for some years now.
    Local GP doesn't offer GPP within GPMC/GPME.
    Because the BUILTIN\INTERACTIVE principal is an implicit group, with a non-domain context, it can only be referenced by the object picker if you set the scope to the "computer".

    EDIT: sequence of steps, which works for me, in Win7+RSAT

    [if needed, create a new GPO within GPMC]
    Open a GPO within GPME
    Expand: Computer Configuration -> Preferences -> Control Panel Settings
    Select: Local Users and Groups
    Right-click: Local Users and Groups [the context menu opens]
    Select: New -> Local Group ["New Local Group Properties" window opens]
    Click the "Group Name" drop-down arrow [not the ellipsis ...]
    Select "Administrators (built-in)"
    Click the "Add..." button ["Local Group Member" window opens]
    Click the ellipsis [...] button for Member Name [the "Select User, Computer, or Group" object picker window opens]
    Click the "Locations" button, and select the local computer object [not your domain]
    [NB: the "Select this object type" options will change to be "User, Group, or Built-in security principal"]
    [NB: the "From this location" option will change to be the local computer name]
    Click inside the "Enter the object name to select" field
    Type: interactive
    Click "Check Names" [the object name will be resolved to "INTERACTIVE"]
    Click OK to close the object picker window
    [Local Group Member:Name, is now resolved/validated as "BUILTIN\INTERACTIVE"]
    Click OK to close the "Local Group Member" window
    [New Local Group Properties:Members, now shows "BUILTIN\INTERACTIVE | ADD | S-1-5-4"

    Click OK to close the "New Local Group Properties" window and commit the change into the GPO.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    Wednesday, November 06, 2013 7:58 PM
  • Thanks, GPME crashes when I click "ok" after I've switched location to local computer and choosen Interactive in the object picker window. I'll try with another computer.

    edit: Same on the other computer. GPME crashes. Do you run the 32-bit or 64-bit RSAT on 32-bit or 64-bit Windows?

    • Edited by Molotch Thursday, November 07, 2013 10:11 AM
    Thursday, November 07, 2013 9:34 AM
  • Thanks, GPME crashes when I click "ok" after I've switched location to local computer and choosen Interactive in the object picker window. I'll try with another computer.

    edit: Same on the other computer. GPME crashes. Do you run the 32-bit or 64-bit RSAT on 32-bit or 64-bit Windows?


    my repro steps above are based on Win7-x64.
    In the past, I've done this on Win7-x86, and also Win8-x86.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, November 07, 2013 7:38 PM
  • Hi,

    Any update?

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Wednesday, November 13, 2013 3:16 AM
    Moderator
  • Never got it to work. Gonna give it a try in a Server 2008 R2 schema level domain.
    Thursday, November 28, 2013 10:25 AM
  • Here are the steps for creating a group policy to make NT AUTHORITY\INTERACTIVE a local admin on all domain joined workstations (not servers).

    1. Create a policy called "Workstation Local Admins" or whatever you like.  It's important that you do not link the policy to the domain level or any OU's at this point, or else your settings will not be limited to just workstations.
    2. Edit the policy and browse to Computer Configuration > Preferences > Control Panel Settings > Local users and Groups.
    3. Right-click on Local users and Groups and select New > Local Group.
    4. Set the Action to Update.
    5. Click the "Group Name" drop-down and select "Administrators (built-in)" option.
    6. Click the Add button and enter "NT AUTHORITY\INTERACTIVE" (without the quotes) in the Name field and make sure the Action field is set to "Add to this group".
    7. Click OK.  The policy is now created.  Now you need to limit it to only apply to workstations.
    8. Right-click WMI Filters and select New.
    9.  Name the Filter "Workstations Only" (without the quotes).
    10. Click the Add button.  You should see root\CIMv2 in the Namespace.
    11. Enter "Select * from Win32_ComputerSystem where DomainRole = 1" (without the quotes) in the Query field.  The DomainRole = 1 means that this will only apply to workstation operating systems.
    12. Click OK and then click Save.  The WMI query is now created, but you still need to apply it to the group policy you just created.
    13. Click on you group policy once again and select the Workstations Only WMI filter from the WMI Filtering drop-down at the bottom of the screen.
    14. Now just link your policy to the domain by right clicking on your domain in GPO and selecting "Link and Existing GPO and it will apply to all workstations in the domain.  If that's too broad and you want to limit it to an OU, Just link it to the OU that you want to target.  You can either leave Authenticated Users in the Security Filtering field or change it to Domain Computers or any other group.  Remember that this is a computer policy, so it will only apply to Computer accounts regardless of which option you choose.
    15. Wait for replication to occur, run gpupdate /force on a PC and after you refresh your Local Users and Groups on your PC you should see NT AUTHORITY\INTERACTIVE (S-1-5-4) in your group membership list on the PC.  You'll also notice that if you go to a server and run gpupdate /force that it will not get populated with the interactive account.

    I just created this doc while walking through the process on a couple of my domains and it works just fine every time I do it.  The nice thing is that it doesn't wipe out any of the existing group memberships that are on a PC, and users can add their own memberships as well without having them reset.  That's a common issue/problem when using GPO's Restricted Group policy method.

    • Edited by Telemaster Wednesday, December 04, 2013 9:46 PM
    • Marked as answer by Molotch Tuesday, December 10, 2013 9:08 AM
    Wednesday, December 04, 2013 9:42 PM
  • Thank you to everyone who posted in this thread, especially DonPick who made a superhuman effort, with images and everything. =)

    I finally solved it, I still got the error 0x80070534 ie SID translation failed when I tried Telemaster's guide. Happened to notice "NT AUTOHRITY\INTERACTIVE" is named "NT instans\Interaktiv" on our computers, changed the account name in the GPO and it applies without errors.

    We deploy the english Windows 7 version on all our workstations and apply a swedish language pack on top of that. Maybe I should have noticed earlier. Thanks again.

    • Marked as answer by Molotch Tuesday, December 10, 2013 9:08 AM
    Tuesday, December 10, 2013 9:08 AM