(GPO) Set AD-User as local admin on all PCs in specific OU

active-directorygroup-policyorganizational-unit

In my AD I have these two OU's: OU PC and OU User. There are a few users in the OU "Users" and several machines in the OU "PC".
I now need to write a GPO for one of these users which will automatically add him to the "local administrator group" on all of these machines – which either already are in that OU "PC", or will be added in the future.
Of course I could set him as a local admin manually on all of these PC's, but I need it to do that automatically.

Is there an option or a way to do that using a GPO?

Greetings!

Best Answer

You add local admins with Restricted Groups, which is in Computer Configuration. Therefore you can by definition add this GPO for the OU containing the computers you want it to affect.

Add a new Group Object in your AD, e.g. DOMAIN\Local Admins Its container is not relevant.
Add a new GPO "Local Admins" and link it to the OU=PC.
In Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups, Add Group DOMAIN\Local Admins
Add to This group is a member of groups: Administrators & Remote Desktop Users.

If you use different language versions of Windows the administrative group names can be different. In multilingual environments you can refer to these generic groups by their security identifiers (SIDs):

S-1-5-32-544 for Administrators
S-1-5-32-555 for BUILTIN\Remote Desktop Users

Best Answer

Related Solutions

Local Admin user via GPO

GPO Administrator – Automatically Make User Local Administrator on Their Computer Through GPO

Related Topic