none
local admin rights GPO

    Question

  • Windows Server 2012 R2 domain, My request is creating a computer GPO to allow specific machines to keep local admins, current policy removes local admins. Any ideas?
    Sunday, March 19, 2017 12:42 PM

Answers

  • Am 19.03.2017 um 13:42 schrieb Dave_17:
    > Windows Server 2012 R2 domain, My request is creating a computer GPO to
    > allow specific machines to keep local admins, current policy removes
    > local admins. Any ideas?
     
    Change GPO, restricted Groups from:
     
    Groupname        Members      Member of
    Administrators   Yourgroup               = Replace
     
    to:
    Groupname        Members      Member of
    Yourgroup                     Administrators = Merge
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    • Proposed as answer by Todd Heron Sunday, March 19, 2017 1:01 PM
    • Marked as answer by Dave_17 Monday, March 20, 2017 11:39 AM
    Sunday, March 19, 2017 12:59 PM
  • Hi,

    Based on my test, we could create a security group that contains these computers and name it “Local Admin Machine”. Then we go to the GPO, and filter group “Local Admin Machine” to rule the computers out, so that they can keep their local admins. I think this method will be able to reach your original request directly.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Dave_17 Monday, March 20, 2017 11:39 AM
    Monday, March 20, 2017 2:30 AM
    Moderator

All replies

  • Am 19.03.2017 um 13:42 schrieb Dave_17:
    > Windows Server 2012 R2 domain, My request is creating a computer GPO to
    > allow specific machines to keep local admins, current policy removes
    > local admins. Any ideas?
     
    Change GPO, restricted Groups from:
     
    Groupname        Members      Member of
    Administrators   Yourgroup               = Replace
     
    to:
    Groupname        Members      Member of
    Yourgroup                     Administrators = Merge
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    • Proposed as answer by Todd Heron Sunday, March 19, 2017 1:01 PM
    • Marked as answer by Dave_17 Monday, March 20, 2017 11:39 AM
    Sunday, March 19, 2017 12:59 PM
  • Hi,

    Based on my test, we could create a security group that contains these computers and name it “Local Admin Machine”. Then we go to the GPO, and filter group “Local Admin Machine” to rule the computers out, so that they can keep their local admins. I think this method will be able to reach your original request directly.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Dave_17 Monday, March 20, 2017 11:39 AM
    Monday, March 20, 2017 2:30 AM
    Moderator