none
Need to give local Administrator group Full Control using a gpo

    Question

  • Hi

    I have a situation whereby I need to push specific permissions out to %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder using a GPO.  I can manage most of the domain users/groups, but I also need to add the local machine Administrators group as well.

    Is there an way I can do this?

    Thanks
    Tony

    Wednesday, August 26, 2015 1:03 PM

Answers

  • Normaly it should work if you add the local Administrator to the GPO-Definition , the build-in Accounts have the same SSID (S-1-5-32-544 for BuildIn\) as described here: https://support.microsoft.com/en-us/kb/243330

    So with a bit luck <Server>\Administrators will convert to <Client-Hostname>\Administrators when the policy applies.


    Edit: Just did a short test -> it works this way, but only for BuildIn Groups, if you use a self created group the SSID on the server is different and shown on the client as "unknown account".

    Wednesday, August 26, 2015 1:27 PM

All replies