none
Apply a GPO only if user is local Admin

    Question

  • Server 2008 R2, Clients: Windows7

    Hi all, 

    I need a GPO that apply it only if user is local Admin in the computer that logon on. I think that with WMI filters I can get it but I can't do it.

    The SID of local Admin is always 'S-1-5-32-544'

    I created this WMI filter

    Select * From Win32_Group Where LocalAccount = TRUE AND SID = 'S-1-5-32-544' but applies whenever there is a group 'S-1-5-32-544' in the computer, i mean, always.

    I tryed to created another with Win32_UserAccount class

    Select * From Win32_UserAccount Where...

    The class Win32_UserAccount has the SIDType propierty, but contains enumerated values that specify the type of security identifier, the 2 value is SIDTypeGroup, but need create a SQL Request to apply if SIDTypeGroup is 'S-1-5-32-544' ...

    ¿Someone can tell me how to do this?


    • Edited by Hugo Pau Monday, February 23, 2015 1:04 PM
    Monday, February 23, 2015 12:16 PM

Answers

  • the local administrator is a local account and thus user gpo does not apply.

    if you mean an account that is member of the local 'administrators' group, I think you better turn around the design, so that the local administrator memebership is gouverned by an AD group. You can use that one to apply security filtering to the GPO.

    I think WMI will not contain the required information (current user group membership)


    MCP/MCSA/MCTS/MCITP

    Monday, February 23, 2015 2:43 PM
  • > Select * From Win32_Group Where LocalAccount = TRUE AND SID =
    > 'S-1-5-32-544' but applies whenever there is a group 'S-1-5-32-544' in
    > the computer, i mean, always.
     
    As Senne suggested: Create a Domain Group and use "Restricted Groups" or
    "GPP Local Users and Groups" to make this domain Group member of local
    administrators.
     
    You cannot solve this with WMI. WMI filters cannot contain variables,
    and you would at least need one variable for the currently logging in user.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 4:05 PM

All replies

  • the local administrator is a local account and thus user gpo does not apply.

    if you mean an account that is member of the local 'administrators' group, I think you better turn around the design, so that the local administrator memebership is gouverned by an AD group. You can use that one to apply security filtering to the GPO.

    I think WMI will not contain the required information (current user group membership)


    MCP/MCSA/MCTS/MCITP

    Monday, February 23, 2015 2:43 PM
  • > Select * From Win32_Group Where LocalAccount = TRUE AND SID =
    > 'S-1-5-32-544' but applies whenever there is a group 'S-1-5-32-544' in
    > the computer, i mean, always.
     
    As Senne suggested: Create a Domain Group and use "Restricted Groups" or
    "GPP Local Users and Groups" to make this domain Group member of local
    administrators.
     
    You cannot solve this with WMI. WMI filters cannot contain variables,
    and you would at least need one variable for the currently logging in user.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 4:05 PM
  • OK, perfect, the problem is that the users are local admins with his domain account only of his computer (Company policies...). thank you very much to both
    Tuesday, February 24, 2015 6:29 AM