Adding a security group to the Local Administrator Group in AD

[su_tooltip position=”north” content=”Note: I normally disable the built-in Administrator account., and make another account an admin. This is a good security precaution and in my opinion a best practice.”][/su_tooltip]

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP

1. Open Active Directory Users and Computers
2. Select your Security Group OU
3. Right Click and select New > Group
4. Give the Group a name, I used “AUTOMATION”

CREATE THE GPO

1. Launch Group Policy Management Console.
2. Right click the OU that you want the GPO to apply to.
3. Select “Create a GPO…”
4. This will Launch Group Policy Editor.
5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
7. Action: Update (This is the most important part).
8. Add the needed security group. I have added my AUTOMATION Security Group.
9. Click Apply.
10. Click OK.
11. Apply the GPO to the root of the domain OR the appropriate OU.

Incorrect Way (This is how you would create a Restricted Access Group)

[su_note note_color=”#ee899a”]Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group. [/su_note]

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

1. Open Active Directory Users and Computers
2. Select your Security Group OU
3. Right Click and select New > Group
4. Give the Group a name, I used “SG – Local Admins”

CREATE THE GPO

1. Open Group Policy Management Console.
2. Right click the OU that contains the systems you want to set the local admin on
3. Select “Create a GPO in this domain, and Link it here…”
4. Name the GPO. I used “Set Local Administrators”
5. Right Click the GPO and select Edit.
6. Set the following:
   1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
   2. Right Click and select “Add Group…”
   3. Select browse and add the Administrators group
   4. Select OK
   5. Double click Administrators
   6. Select Add for “Members of this group:”
   7. Browse and find your security group. I added “SG – Local Admins”

That should be it. Now you can set which users of the domain are local administrators of their computers.