Local Admin Users on Domain Workstations (GPO/AD Method)

This method consists of two parts, one AD security group and one GPO.

Important: Looking for guidance adding a new computer to an existing setup, refer to the section Security Group: Authorized Users below.

Requirements

  1. Automate as much of the process as possible.
  2. When admin rights no longer needed, clean up all traces of permissions from computer.
  3. Audit which computers and users have admin access.

Assumptions

  1. I assume you know how to add active directory (AD) security groups.
  2. You have at access to add/modify domain objects.
  3. Your domain computers do not have their local Administrators group overwritten by either GPO or another process. This process uses an “add to” method.

Expectations

  1. To automatically add the group to the computer, simply create the group as outlined below.
  2. To remove the group from the computer, delete it from AD.

Active Directory Groups (AD)

We will be creating an AD security group based on the computer name of the server.  We do this so we can utilize the variable %ComputerName% in the GPO.

Security Group: Authorized Users (contains: user accounts)

The members of this list will be the “authorized users” receiving admin access on the computer.
This group is created per computer as needed. The existence of this group determines if admin rights are assigned to the computer or not.

AD Group name: Local-Admin_<Computer Name>

Example: Local-Admin_MYDESKTOP01

Group Policy Object (GPO)

We will need to create a group policy object that will perform the magic. The logic is quite simple, but wrapping your brain around it all at once may hurt a little.

GPO: Computer Targeted

This GPO has item-level targeting and passes OS level variables to allow addition of the correct AD security group. That is why naming the AD security group correctly is so critical, because this GPO expands the local computer name variable and uses it during the policy assignment.

  1. Open Group Policy Management MMC with an account that has domain admin rights or higher.
  2. Right click on Group Policy Objects, choose New and name the new GPO something descriptive and click OK.
    • Example: Computer – Local Admin Access
  3. Edit the new policy.
    1. Browse to: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
    2. Right click and choose New > Local Group
      1. Group name: Administrators (built-in)
      2. Leave unchecked Delete all member users and Delete all member groups.
      3. Under Members, click Add… button. (It’s important to use the variable %ComputerName%)
        1. Name: <Domain Name>\Local-Admin_%ComputerName%
          • Example: CONTOSO\Local-Admin_%ComputerName%
        2. Action: Add to this group
        3. Click OK.
      4. Under the Common tab.
        1. Check Remove this item when it is no longer applied.
          • If prompted; select No so it will only remove the entry we are adding.
        2. Check Item-level targeting.
        3. Click Targeting button.
          1. Click New Item > LDAP Query
            In the Filter text box, add the following;
            (&(objectCategory=group)(name=Local-Admin-%ComputerName%))

            In the Binding text box, it should read;
                LDAP:

          2. Click OK.
        4. Click OK.
    3. Close the Group Policy Management Editor.
    4. Click on the Details tab.
    5. Set GPO Status: User configuration settings disabled
  4. Add the new policy to the OU containing your computers. This does not get applied to users, only computers.

Loading