none
Create Local Administrator group on computer via GPO

    Question

  • I have created a group on my in AD called LocalAdmins.

    The purpose of this is to add the LocalAdmins group which I can then add users to on the DC that will then have Local administrator access to the individual computers that I add the LocalAdmins Group to. If I add the group manually to a each workstation computer it works. fine.

    However to add this group to a whole mess of computers is tedious. So I wanted to do it via a GPO, automatically. I created a GPO based on these instructions on this web site.

    https://community.spiceworks.com/how_to/907-gpo-to-push-out-local-administrators-across-a-domain

    I didn't do the (RDT) option he talks about.

     My Servers are 2003, 2008 and 2012r2. I did this on the backup DC which is 2012r2.

    When I set up a link/gpo to one OU's it did not work. I have gpupdated /force etc but it does not migrate to the computers that the users who are in that OU are using.

    I then set up a test OU and put the GP off of that OU and then added a  COMPUTER to that Test OU. Now note Im putting a computer into the OU not Users.  This seemed to work. (the computer was an xp if that makes any difference.) So it works if I put a COMPUTER into the TEST OU but it does not seem to work for USERS, when I put the Group Policy in other OU's that are just domain Users.

    Does this policy only work on computers only or what am i missing.

    Thanks.

    Thursday, November 26, 2015 6:31 PM

Answers

  • Hi Stevwolf,

    The policy setting you are applying is a Computer Policy - this will only apply to computers. Applying this policy to users will have no effect.

    Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups

    Good Luck!

    Shane

    Thursday, November 26, 2015 6:42 PM
  • So, if anyone is still reading.

    It appears that when I open the Group Policy manager there is NO listing of computers. There are OU's for everything else but none for computers.

    How do I add a GP to just a bunch of computers. Do I have to create a new OU and then move the computers into it. I want to apply my policy to Desktop comptuers but not servers.

    Thanks.

    PS Ok Im updating this post. The reason why I cant see Computers is because the Computers is a Container not a OU.

    See http://serverfault.com/questions/675918/why-can-i-not-see-a-computers-gpo-in-my-gpmc-how-can-i-force-a-gp-update-withou

    It looks like I have to create a OU and put the computers into it to do this. Unless anyone has any better Ideas.

    Friday, November 27, 2015 2:11 PM

All replies

  • Hi Stevwolf,

    The policy setting you are applying is a Computer Policy - this will only apply to computers. Applying this policy to users will have no effect.

    Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups

    Good Luck!

    Shane

    Thursday, November 26, 2015 6:42 PM
  • Thanks you so very much.

    I have seen several examples of this but no one mentioned this. I admit that maybe people know this intuitively, but I didn't ? Thanks very much.

    Thursday, November 26, 2015 9:31 PM
  • So, if anyone is still reading.

    It appears that when I open the Group Policy manager there is NO listing of computers. There are OU's for everything else but none for computers.

    How do I add a GP to just a bunch of computers. Do I have to create a new OU and then move the computers into it. I want to apply my policy to Desktop comptuers but not servers.

    Thanks.

    PS Ok Im updating this post. The reason why I cant see Computers is because the Computers is a Container not a OU.

    See http://serverfault.com/questions/675918/why-can-i-not-see-a-computers-gpo-in-my-gpmc-how-can-i-force-a-gp-update-withou

    It looks like I have to create a OU and put the computers into it to do this. Unless anyone has any better Ideas.

    Friday, November 27, 2015 2:11 PM
  • It looks like I have to create a OU and put the computers into it to do this. Unless anyone has any better Ideas.

    This the right steps if you just want to "add a GP to just a bunch of computers". By default, GPO can only be linked to a site, domain, or OU. You cannot applied it to a container, like Computers.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, December 01, 2015 2:10 AM
    Moderator