locked
Add a user to local administrators group RRS feed

  • Question

  • I have a group policy that adds a user to the administrators group on a local pc if they are in a group called "desktopadmins" the user gets added fine but for that user to pick up that they are an administrator on that pc they have to log in a second time after they have been put in the group, my question is, is there a way around this? I want to clean up the administrators group every login so that it only has the user that is logging in at that moment in time, I do this by enabling "Delete all member users" and "Delete all member groups" in the local users and groups part of the policy.

    Thanks

    Friday, August 18, 2017 7:55 AM

Answers

  • Hi,
    It seems that the second login is used to refresh user membership, if that is the case, you could have a try following article as below to refresh user's group membership without logging off and on:
    http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by tedw011111 Thursday, August 24, 2017 6:43 AM
    Thursday, August 24, 2017 2:38 AM

All replies

  • Hi,
    Please take a look “Restricted Groups” setting in the group policy, when using a Restricted Groups Group Policy, any current member of the group that is not on the “Members” list will be removed and all users / domain groups that are in the “Members” list and are not members of the group will be added as members.
    You could see more details from:
    Active Directory Group Policy Restricted Groups
    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 21, 2017 6:29 AM
  • Hi,

    I don't think this will work for what I want to do, I want a user to log into a computer and if they are in the desktopadmins group they get added to the local administrators group this way they are only an administrator on the computer they are logged into and not every pc in the company, the way I have it now works apart from the user has to log in twice to pick up that they are admin.

    Thanks

    Monday, August 21, 2017 7:49 AM
  • Hi,
     
    Am 21.08.2017 um 09:49 schrieb tedw011111:
    > I don't think this will work for what I want to do,
     
    Use Group Policy Preferences Local Users and Groups
    They can manipulate this group by User Settings "only when logged in"
     
    Or they can be more easily filtered by item level targeting on the
    computer and user site, wether configured this or the other way.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Monday, August 21, 2017 8:16 AM
  • Hi,

    I am using Local users and groups and it all works fine apart from the user does not get full admin rights.

    First time the user logs in their username is in the administrators group but they do not have admin rights but if they log off and then back in again every thing is fine.

    Thanks

    Monday, August 21, 2017 8:28 AM
  • Hi,
     
    Am 21.08.2017 um 10:28 schrieb tedw011111:
    > First time the user logs in their username is in the administrators
    > group but they do not have admin rights
     
    They should have it at first run time.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Monday, August 21, 2017 9:27 AM
  • Thanks for getting back to me, I have tried this in two separate environments and I always get the same result.

    Thanks

     
    Monday, August 21, 2017 9:42 AM
  • Non of these are relevant, restricted groups give someone admin rights to all the machine the policy is applied to.

    Thanks

    Monday, August 21, 2017 10:39 AM
  • Am 21.08.2017 um 11:42 schrieb tedw011111:
    > Thanks for getting back to me, I have tried this in two separate
    > environments and I always get the same result.
     
    User or computer configuration?
     
    I use CompConf in every network I am into and it never needs a secound
    login, if so, I gues your are probably challenging with an existent
    "Restricted groups" setting ?
     
    Mark
     
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Monday, August 21, 2017 12:01 PM
  • Hi,

    Thanks for getting back to me, how can I target users when I am doing it in the computer configuration?

    Thanks

    Monday, August 21, 2017 12:13 PM
  • Hi,

    If I explain the exact steps I have taken maybe I am missing something.

    1. Create a domain group called DesktopAdmin 

    2. Create a gpo with Update Administrators (built in ) with members %DomainName%\%LogonUser% with item level targeting filtering to DesktopAdmin

    there are also a couple of other rules like adding Domain Admins into the local Administrators group which also includes Delete all member users and groups enabled.

    Thanks

    Monday, August 21, 2017 1:58 PM
  • Hi,
     
    Am 21.08.2017 um 15:58 schrieb tedw011111:
    > 2. Create a gpo with Update Administrators (built in ) with
    > members %DomainName%\%LogonUser% with item level targeting filtering to
    > DesktopAdmin
     
    I did never put in the %LogonUser%.
     
    If you want DesktopAdmin to be ADmins on all Clients, add them directly
    DesktopAdmin as member.
     
    If you only want it, when specific users are logging in from this group
    then take a look at the same GPP in Userkonfiguration.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Monday, August 21, 2017 8:51 PM
  • Hi

    I only want the specific user logging on as Administrator and not all of the group DesktopAdmin the trouble is if I add it to the User Configuration part of the GPO it will only work if you log in as that user a second time the first time it puts the user in the Administrators group but it does not have Admin rights, you have to log off and back in again.

    Tuesday, August 22, 2017 6:48 AM
  • Hi,
    It seems that the second login is used to refresh user membership, if that is the case, you could have a try following article as below to refresh user's group membership without logging off and on:
    http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by tedw011111 Thursday, August 24, 2017 6:43 AM
    Thursday, August 24, 2017 2:38 AM
  • Thank you that did the trick.
    Thursday, August 24, 2017 6:44 AM