GPO

Adding a security group to the Local Administrator Group in AD

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “AUTOMATION”

CREATE THE GPO

  1. Launch Group Policy Management Console.
  2. Right click the OU that you want the GPO to apply to.
  3. Select “Create a GPO…”
  4. This will Launch Group Policy Editor.
  5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
  7. Action: Update (This is the most important part).
  8. Add the needed security group. I have added my AUTOMATION Security Group.
  9. Click Apply.
  10. Click OK.
  11. Apply the GPO to the root of the domain OR the appropriate OU.

Incorrect Way (This is how you would create a Restricted Access Group)

Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group. 

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “SG – Local Admins”

CREATE THE GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I used “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “SG – Local Admins”

That should be it. Now you can set which users of the domain are local administrators of their computers.

Windows: Hide Internet Explorer 11 address bar & navigation bar

Applies to:

Windows Server 2008R2, Windows Server 2012R2, Windows 10

There are two ways this can be accomplished depending on your needs for the controlled environment.

GPO:

I would like to first clarify that there is not a single GPO to just hide TABS in IE11. There is however a way you can enforce IE in Full View Mode which by default will remove the TABS and Address bar via a GPO.

The GPO  you can use to enforce the Full-Screen view is available on both Computer and User configuration policy. Below is the gpo location path in group policy editor console.

  • GPO NAME: Enforce full-screen mode
  • LOCATION: Computer or User configuration – Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
  • KEY LOCATION: Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

SCREENSHOT: GPO CONSOLE

2352.GPO-LOCATION

WINDOWS REGISTRY:

This will cause the IE address bar to not show. I disabled the Navigation bars too so it gives a clean window experience.

SCREENSHOT: REGISTRY LOCATION WITH VALUES

1172.GPO-REGISTRY-LOCATION

Download the Registry file.

The GPO and keys will cause the browser to open in full view with no address bar or tabs

7536.FULL-VIEW-AFTER-GPO