Thursday, March 17, 2011

Domain Computers - Local Administrators


With the addition of Group Policy Preferences (GPP) adding a domain group to the local Administrators group on client computers has become a real walk in the park. 


Here's how you do it, step by step. 


If you don't have a default computer policy already, I recommend you create one. Mine is called "Default Computer Policy". This policy contains the settings that all domain computers will have in common. And while you're at it, also create the security group you want to add, if you haven't already. Something short and simple like "Computer Administrators" will do just fine, and the name is self explanatory. 


Edit the GPO and expand the Computer Configuration, Preferences, Control Panel Settings and finally right click "Local Users and Groups" and select New -> Local Group. Select Update as action, then click the group name drop down arrow. Scroll down and select "Administrators (built-in)". Skip "Rename to" and "Description" and the checkboxes for deleting users and groups (unless you really want to restrict the membership to what you specify). In the "Members" box, click "Add..." and enter the name of the domain group you want to add to the local Administrators group. I'd suggest clicking the button with the three dots to search AD for the group. Make sure the action "Add to this group" is selected and click OK. Believe it or not, but click "Apply" and you're done. 


Now it's time to confirm the setting. You can either fire up a test machine in scope for this policy, or if it's already running, reboot it (it's a computer setting after all). If you're feeling lazy, you can even do this remotely. 


You can use psexec to connect to the computer (psexec \\computername cmd) and force a gpupdate (gpupdate /force). You can reboot the computer using shutdown /m "computername" /f /r /t 0. The switches are force, reboot and time in seconds. Once it's back up, you can once again connect to it using psexec, and the run the command "net localgroup administrators". This lists the members of the local Administrators group. 


For me, it worked like a charm! 




And here's how you did it back in the day with the "Restricted Groups" GPO setting. 


Create or edit your Default Computer Policy. Expand the Computer Configuration, Policies, Windows Settings, Security Settings and right click "Restricted Groups". Select "Add Group" and browse AD for the domain group you want to add to the local Administrators group. Click OK. 
In the bottom section, "This group is a member of", click "Add..." and browse for "Administrators". Click OK and then apply the setting. The setting should now say that group name "Domain\Group" (your domain\your group name) is a member of "Administrators". If it says anything else it has been configured wrong, and this may cause damage if rolled out. 


Enter: Copy and paste: 


Now it's time to confirm the setting. You can either fire up a test machine in scope for this policy, or if it's already running, reboot it (it's a computer setting after all). If you're feeling lazy, you can even do this remotely. 


You can use psexec to connect to the computer (psexec \\computername cmd) and force a gpupdate (gpupdate /force). You can reboot the computer using shutdown /m "computername" /f /r /t 0. The switches are force, reboot and time in seconds. Once it's back up, you can once again connect to it using psexec, and the run the command "net localgroup administrators". This lists the members of the local Administrators group. 


For me, it worked like a charm! 


No comments:

Post a Comment