Friday, August 1, 2014

Add an Active Directory group to the local administrator group of workstation(s)



1.

Create a new group in Active Driectory

Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
2.

Create a new GPO

Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
3.

Edit the newly created GPO

Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
4.

Add your new Active Directory group to the Restricted Group

Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
5.

Add the Restricted Group to the local administrator group

In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"

6.

Wait for GPO updates to apply to the workstations

Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation, run "gpupdate /force" in a command window on that workstation.
7.

Add a user or group of users to the Active Directory Restricted Group

When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management Console.
8.

Remove the user or group of users from the AD restriced group

When the user or group of users no longer need the local admin rights simply remove the user(s) from the Active Directory group and have the user log off or reboot the workstation.

No comments:

Post a Comment