none
Group Policy Preferences to add computer accounts as Admins on computers?

    Question

  • We are 2012R2 domain and we manage all of our servers using GPP to control who is an administrator.  We just do not want Administrators going through and adding contractors, etc as administrators on their servers, without going through propeer change management, etc.  

    2012R2 clusters have a feature called cluster aware updates to make windows updates, etc. a lot smoother across the cluster.  One of the things is requires is that the CNO(Cluster Computer account) be added as an administrator to the nodes on the cluster.  The problem I have is that GPP will not allow me to add computer accounts to the administrators group.  Since I must get GPP to clear all settings before applying, this is causing an issue.  Does anyone know if GPP in 2016, etc will allow you to add a computer account to be a local administrator on a computer?

    Thanks,


    Dave


    Monday, May 01, 2017 3:45 PM

Answers

  • You can try adding the computer as part of an AD group then grant the permission to the group. You can also consider using Restricted Groups Group Policy instead: https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by DaveBryan37 Monday, May 01, 2017 10:37 PM
    Monday, May 01, 2017 10:35 PM

All replies

  • You can try adding the computer as part of an AD group then grant the permission to the group. You can also consider using Restricted Groups Group Policy instead: https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by DaveBryan37 Monday, May 01, 2017 10:37 PM
    Monday, May 01, 2017 10:35 PM
  • great answer and not sure why I did not think of that before, but going through groups on the exceptions should work

    Dave


    Monday, May 01, 2017 10:38 PM