none
Create Local Admin User on Domain Computers through GPO

Answers

All replies

  • Hi

     The correct and useful method is,you could configure user accounts or groups into the local Administrators group with GPO,(restricted groups gpo)

    Check these articles about

    https://support.microsoft.com/en-us/kb/279301

    http://gpfaq.se/2007/09/09/how-to-using-restricted-groups/

    https://technet.microsoft.com/en-us/library/cc785631%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Brad_Voris Tuesday, September 15, 2015 12:43 PM
    • Unproposed as answer by Hasan Bin Hasib Tuesday, September 15, 2015 6:36 PM
    Tuesday, September 15, 2015 11:42 AM
  • I am with Burak on this one.

    Create a domain account on the domain.

    Add that user to the local admins group on the local machine. Use GPOs to restrict and control.

    Tuesday, September 15, 2015 12:43 PM
  • Above method will create a domain user account.

    But I need to have a local user account and not a domain user account.

    I need a local user (with administrative privileges) to be created on domain computers. This local account will be used  by our Desktop-Support Technicians, since they frequently need to rejoin/dis-join the computers to the domain.

    Please help me in creating a Local User on the domain computers.

    Tuesday, September 15, 2015 6:45 PM
  • Hi

     Microsoft has removed the ability to create or modify any Group Policy which contains a Group Policy Preference that specifies account credentials.So you could not create and configure local account on domain computers,only you could create restricted groups gpo and your desktop technicians or tech group on it.

    MS14-025: An Update for Group Policy Preferences

    http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, September 15, 2015 6:51 PM
  • 1. I go to Lusrmgr.msc of my computer

    2.  Right-click the Users --> Select 'New User' --> Create a new user with the name 'Technician'

    3. Now I go to Groups --> Administrators --> Add the user Technician to the Administrators group.

    I want to do exactly same thing on my every domain computer with Group Policy.

    Please guide me how can I do it.

    Many thanks

    Tuesday, September 15, 2015 6:59 PM
  • Hi

     Unforunalety this feature not avaible anymore for the security reasons.(create local account with gpo),I already mentioned you just configure the restricted groups gpo.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, September 15, 2015 7:34 PM
  • Am 15.09.2015 schrieb Burak Uğur:
    Hi,

      Unforunalety this feature not avaible anymore for the security reasons.(create local account with gpo),I already mentioned you just configure the restricted groups gpo.

    Another way to achieve this is using LAPS and give the PC technicians the permission to read the local administrator passwords from AD.
    Take a look here:
    https://www.microsoft.com/en-us/download/details.aspx?id=46899

    HTH
    Norbert


    Dilbert's words of wisdom #19:
    Am I getting smart with you? How would you know?
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Wednesday, September 16, 2015 12:08 AM
  • I think you guys are missing the point. I am getting LAPS setup and I want to use a custom local account. The account does NOT currently exist on any of the servers in question. I want to be able to create a new local admin account via GP so as to NOT use the built-in admin account. It is stated in the LAPS_OperationsGuide.docx "DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed.

    So the answer is not to use LAPS, because LAPS doesn't create the Custom account!!!  The only think I have come up with is to create a custom account on each and every server as part of the build process.  This is crazy considering I have over 2000 Servers I want to use LAPS on...

    Any Questions!??

    Friday, October 23, 2015 6:28 PM
  • I have the same problem.  How do I create a local user, never mind admin, on a bunch of domain-joined machines, without having to manually log onto each and create it via lusrmgr.msc?  It tries to create the account but run into error that says "password does not meet complexity requirement" but, of course, I can't even enter initial password.  I wanted to use LAPS to manage password but, first, I need the local account created since LAPS doesn't offer the option to create an account.

    Sunday, December 20, 2015 7:16 PM
  • By the way, the reason why I need a local account instead of a domain account that is part of a local group (as suggested by "restricted group policy" method) is because, if the computer somehow gets disjoined from the domain, the domain account on the local machine will not work.  Thus, it is necessary to continue to use a local account.  However, I do not want to use the built-in Administrator account (disabled for security reason, via GPO, thank you).  Rather, I would like to create a new local account.  Again, does not seem possible without it supplying an initial password.  I'll keep looking for an answer, be it PowerShell or psexec, but it has to be possible one way or another.  Or, if the LAPS maintainer can add in account creation functionality, this would be great.  Thanks!

    Sunday, December 20, 2015 7:28 PM
  • Hi
     
    Am 20.12.2015 um 20:16 schrieb AshlandSG:
    > How do I create a local user, never mind
    > admin, on a bunch of domain-joined machines,
     
    Computer startup script
    -> net user ... "YourPAssW0rDThatM33etsthecomplex1ty$%&=)&/§" /add
     
    group membership can be done in th esame script or better by GPP or
    restricted groups.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, December 21, 2015 10:51 AM
  • > Thus, it is necessary to continue to use a local account.  However, I do
    > not want to use the built-in Administrator account (disabled for
    > security reason, via GPO, thank you).
     
    Using a newly created account that is a member of local administrators
    or the builtin administrator is not much of a difference... And if I can
    boot the computer in safe mode, the builtin admin is enabled anyway, so
    LAPS would be perfectly ok in your scenario :)
     
    Monday, December 21, 2015 1:05 PM