none
Create Local Admin User on Domain Computers through GPO

    Question

  • I know there are quite a few threads on this but most of what I have found are old. And in 2015 some user on here said Microsoft

    removed the ability to create or modify any Group Policy which contains a Group Policy Preference that specifies account credentials.

    I have been looking for a newer thread on this as I have tried to add local admins throgh GPO but it has not worked. Is it still possible to add through GPO or do I need to run a script?

    And if it is possible can someone please help me out.

    Tuesday, January 31, 2017 11:10 PM

All replies

  • Looks like it is still possible:
    https://technet.microsoft.com/en-us/library/cc731972%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    Local user config here (and a disclaimer about where the password is stored):
    https://technet.microsoft.com/en-us/library/cc771917(v=ws.11).aspx

    Wednesday, February 01, 2017 12:16 AM
  • Hi,

    As you said, Microsoft has removed the ability to create or modify any Group Policy which contains a Group Policy Preference that specifies account credentials due to security concerns (with security patch, MS14-025)

    You might want to take a look at these blog posts:

    http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx

    http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx

    Best Regards,

    Alvin Wang  


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 01, 2017 6:26 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 15, 2017 1:30 PM
    Moderator
  • I installed LAPS which seems to have worked, but having an error when loggin in to client system.
    Thursday, March 30, 2017 4:22 PM
  • Yes, but does LAPS *create* the user, or does the local admin need to be manually created? I have deployed LAPS in a test environment. As promising as all the videos and how-to's appear to be initially, none of them show how to actually CREATE the user, in order for LAPS to then do its thing (reset passwords for local accounts/admins). When a new computer is joined to the domain, how can I make it so "computer-admin" gets created and is added to the local admins group, if Group Policy is not the way anymore, and LAPS doesn't actually CREATE the user (unless I'm mistaken).

    Thanks

    Wednesday, January 31, 2018 12:11 AM
  • Am 31.01.2018 um 01:11 schrieb my_unique_technet_display_name:
    > Yes, but does LAPS *create* the user,
     
    No. Never. No one need it. There is no difference in having the
    Administrator (RID -500) active or a seperate one.
     
    There is no challenge in attacking the RID -500 or the -1000 (first
    local user or simply count in script up to 10 ...).
     
    Stop creating local users in a domain environment, despite of
    troubleshooting on a Roadwarrior "faraway", there is completly no reason
    to have any local account active.
    All jobs can be done with a domain account, thats a member of local
    admin group.
     
    - delete all selfcreated Admins, no need
    - disable administrator (-500), if possible
    - deploy LAPS for all machines, in case the local admin is active
    Even if Admin account is disabled, it´s easier to deploy LAPS to all,
    despie of creating a filter
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Wednesday, January 31, 2018 7:05 AM
  • No. Never. No one need it. There is no difference in having the
    Administrator (RID -500) active or a seperate one.

    You don't need to enable -500. When booting to recovery, it will be enabled automatically.

    Wednesday, January 31, 2018 12:43 PM
  • Thanks for your reply Mark, it is very enlightening, mostly to the fact I've never seen or heard of the -500 and -1000 stuff; maybe just by chance I've never got that detailed in the under-workings I guess. I did read that, in order to combat this local admin problem, that all I need to do is create a "MYDOMAIN\LocalAdmins" group, and put that group in the local admins group of every workstation. How then, would anyone in that LocalAdmins Domain Security Group be able to use their credentials in the "faraway" computer, if those credentials have never yet been used to log into the workstation (therefore no cached credentials exist and "no logon servers available" to serve/authenticate the login)?

    I believe I need to read up on the -500 and -1000/first local user stuff, as I now realize it answers one of the questions I had yesterday when reading up on this: what admin account gets reset if one isn't specified in the GPO?

    Most importantly, is there any out-of-band solution for this, if I am unable to reach the domain to run the GUI program, to obtain the unique local admin password, to give to Mr. Roadwarrior?

    Thanks again.





    Wednesday, January 31, 2018 5:51 PM
  • > (therefore no cached credentials exist and "no logon servers available" to serve/authenticate the login)?

    In this case, they can NOT log on. That's why we resort to the builtin local administrator as the ultimate emergency logon account :-)

    Thursday, February 01, 2018 10:04 AM
  • Thanks for the confirmation that my understanding of LAPS being a "solution" to the GPO/localadmin problem, is anything but a solution. It DOES NOT solve the one main reason why local admins exist in the first place: out of band OH $HIT moments. LAPS would only work in the commercials where everything is scripted and everyone's smiling, but not in the real world. At this point it would be quicker to manually create users on each workstation via psexec, with each workstation having a different, random, and permanent password. Bye bye LAPS, thanks everyone for your feedback.




    Thursday, February 01, 2018 5:33 PM
  • Am 01.02.2018 um 18:33 schrieb my_unique_technet_display_name:
    > [...] It DOES NOT solve the one main reason why local admins exist in
    > the first place: out of band OH $HIT moments.
     
    There are only a few "OH SHIT" Moments. Boot system offline, replace
    utilman.exe, enable Adminaccount when needed. Disable Adminaccount.
     
    There is no need for a local adminaccount on systems, that can be
    reached. If you disable it, it´s only a 3 minute longer process.
     
    Daily based work can be done with a domainusers account inside the local
    admins group.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Friday, February 02, 2018 10:09 AM