Need to give local Administrator group Full Control using a gpo


  • Hi

    I have a situation whereby I need to push specific permissions out to %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder using a GPO.  I can manage most of the domain users/groups, but I also need to add the local machine Administrators group as well.

    Is there an way I can do this?


    Wednesday, August 26, 2015 1:03 PM


  • Normaly it should work if you add the local Administrator to the GPO-Definition , the build-in Accounts have the same SSID (S-1-5-32-544 for BuildIn\) as described here:

    So with a bit luck <Server>\Administrators will convert to <Client-Hostname>\Administrators when the policy applies.

    Edit: Just did a short test -> it works this way, but only for BuildIn Groups, if you use a self created group the SSID on the server is different and shown on the client as "unknown account".

    Wednesday, August 26, 2015 1:27 PM

All replies