Local Admin Users on Domain Workstations (GPO/AD Method)

This method consists of three parts, two AD security groups and one GPO.
One security group will be used as a template, but more on that shortly.

Important: Looking for guidance adding a new computer to an existing setup, refer to the section Security Group: Authorized Users below.

 

Requirements

  1. Automate as much of the process as possible, for handoff to a limited AD rights group for management.
  2. When admin rights no longer needed, clean up all traces of permissions from computer.
  3. Audit which computers and users have admin access.

Assumptions

  1. I assume you know how to add an active directory (AD) security group.
  2. You have at least Domain Admin, or equivalent access to modify domain objects.
  3. Your domain computers do not have their local Administrators group overwritten by either GPO or another process. This process uses an “add to” method.

 

Active Directory Groups (AD)

We will need to create a security group that will hold the computer accounts.

Of course, you can call the AD groups anything you want, but for this article I will name it something meaningful to me.
Why? Cause I want to, so there.  😉

 

Security Group: Authorized Computers (contains: computer accounts)

The members of this list will be the “authorized computers” that the process will trigger against.

AD Group name: Local-Admin_Authorized

 

Security Group: Authorized Users (contains: user accounts)

The members of this list will be the “authorized users” receiving admin access on the computer.
This group is created per computer as needed. The existence of this group determines if admin rights are assigned to the computer or not.

AD Group name: Local-Admin_<Computer Name>

Example: Local-Admin_MYDESKTOP01

 

 

Group Policy Object (GPO)

We will need to create a group policy object that will perform the magic. The logic is quite simple, but wrapping your brain around it all at once may hurt some brain cells.

 

GPO: Workstation Targeted

This GPO has item-level targeting and passes OS level variables to allow addition of the correct AD security group. That’s why naming the AD security group for Authorized Users is so critical, because this GPO expands the local computer name variable and uses it during the policy assignment.

Note: You can also manually add the Authorized Users AD security group to the computer’s Administrators group in case you don’t want to wait for group policy to take effect.

  1. Open Group Policy Management MMC with an account that has domain admin rights or higher.
  2. Right click on Group Policy Objects, choose New and name the new GPO something descriptive and click OK.
    • Example: Workstation – Local Admin Access
  3. Edit the new policy.
    1. Browse to: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
    2. Right click and choose New > Local Group
      1. Group name: Administrators (built-in)
      2. Leave unchecked Delete all member users and Delete all member groups.
      3. Under Members, click Add… button. (It’s important to use the variable %ComputerName%)
        1. Name: <Domain Name>\Local-Admin_%ComputerName%
          • Example: CONTOSO\Local-Admin_%ComputerName%
        2. Action: Add to this group
        3. Click OK.
      4. Under the Common tab.
        1. Check Remove this item when it is no longer applied.
        2. Check Item-level targeting.
        3. Click Targeting button.
          1. Click New Item > Security Group
          2. Click button next to Group text box
            1. Add the AD security group: Local-Admin_Authorized
            2. Click OK.
        4. Click OK.
    3. Close the Group Policy Management Editor.
    4. Click on the Details tab.
      1. GPO Status: User configuration settings disabled
    5. (optional) Click on the Scope tab.
      1. Under Security Filtering
        1. Remove Authenticated Users group.
        2. Add the AD security group: Local-Admin_Authorized
  4. Add the new policy to the OU containing your computers. This does not get applied to users, only computers.