locked
Manage local admin accounts on workstations via GP RRS feed

  • Question

  • Hi,

    I want to create a new local user account called localadmin on all of our user machines which is in the loacl administrators group and also disable the built-in administrator account. I've read a few bits on doing this via GP but seems more tricky than it should be.

    I can add a local user via GP preferences but do I select Update or Create? Also, how can I put it in the local admins group. I read something about doing it via Restricted Groups but can't see how I can add that newly created local user account 'localadmin' as I'm on the DC. Would I have to actually run RSAT from a widnows 7 machine with that local account on it?

    I've used these guides:

    http://www.dannyeckes.com/create-local-administrator-security-group-gpo/

    http://www.dannyeckes.com/create-local-admin-group-policy-gpo/

    Is there a more straight forward way?

    Thanks,

    Andrew

    Tuesday, October 14, 2014 8:19 AM

Answers

  • Hi,

    You can create a new local user using GPP "Local Users and Groups" with action "Create"

    You can use the same GPP "Local Users and Groups" - select the Local Group - select built-in Administrators

    link the GPO to the OU where your workstations computer accounts reside. This should provide what you have described.

    Hoe this helps.

    Regards,

    Calin

     

    • Proposed as answer by Joseph__Moody Tuesday, October 14, 2014 12:31 PM
    • Marked as answer by Frank Shen5 Monday, November 10, 2014 8:29 AM
    Tuesday, October 14, 2014 8:46 AM

All replies

  • Hi,

    You can create a new local user using GPP "Local Users and Groups" with action "Create"

    You can use the same GPP "Local Users and Groups" - select the Local Group - select built-in Administrators

    link the GPO to the OU where your workstations computer accounts reside. This should provide what you have described.

    Hoe this helps.

    Regards,

    Calin

     

    • Proposed as answer by Joseph__Moody Tuesday, October 14, 2014 12:31 PM
    • Marked as answer by Frank Shen5 Monday, November 10, 2014 8:29 AM
    Tuesday, October 14, 2014 8:46 AM
  • Thanks - this looks very close to what we want - I want to create a new user called "test" with local admin rights on the workstations.   - When I tried the above I don't see a new user and I have this in the event log "The computer 'Administrators (built-in)' preference item in the 'Create Local User Admin {65E43D65-E539-42ED-BE27-9A3AAA204E4A}' Group Policy Object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed."
    Tuesday, December 19, 2017 3:57 PM