none
How to add a *local* group to local Administrators via group policy

    Question

  • Scenario:

    • I manage a set of computers in an OU within my organization's AD.
    • I do not have control of the GPO's at the top of the OU hierarchy nor do I want to break the inheritance of those GPO's.
    • My organization has an top-level GPO which clears out the local Administrators group and adds a specific set of domain users and groups.

    Problem:

    • I want to be able to make some users administrators of only their own workstations.
    • I want to do this without having to make a separate OU for each of these users' workstations. The list of users is small enough where I don't mind giving them admin rights from their workstation.

    Proposed solution:

    • I want to make an extra local group on their computer called, say, "ExtraLocalAdmins" and then add that group to the local Administrators group. Then, I can add individual users to each workstation's ExtraLocalAdmins group.

    Where I need help:

    • Because the top-level GPO's clear and repopulate the local Administrators group on every gpupdate, I need a way to add this ExtraLocalAdmins group to Administrators without clearing out the domain users/groups which have been placed there by the top-level GPO's (and, of course, without deleting/re-creating ExtraLocalAdmins). The problem is, I've been unable to get this to work. I've tried using Restricted Groups to specify .\ExtraLocalAdmins and then add "This group is a member of: Administrators", but it isn't taking effect.

    Any ideas? Is there a better approach I should be using?

    • Moved by Guowen Su Wednesday, September 23, 2015 1:43 AM Topics on GPO. rerouted to GPO forum
    Sunday, September 20, 2015 7:11 PM

Answers

  • >   * I want to make an extra local group on their computer called, say,
    >     "ExtraLocalAdmins" and then add /that/ group to the local
    >     Administrators group.
     
    You cannot. Local groups cannot be nested.
     
    What you CAN do: Use GPP "Local users and groups". Add the user directly
    to the local admins if he is a member of a given domain group (Item
    Level Targeting).
     
    Example:
     
    JohnDoe logs on to JohnDoeWorkstation. Create a Domain Group
    "JohnDoeWorkstation-Admins", add JohnDoe to this Group.
     
    In GPP Local Users and Groups, add the local Administrators group and
    add %LogonUser% as a Member. Enable Item Level Targeting, Filter
    "Security Group", "User is a Member of", Group Name
    %Computername%-Admins (do NOT use the object picker here!).
     
    Done...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, September 23, 2015 8:56 AM