Local Administrators via Group Policy

When running a Windows Server network we are able to control all sorts of things centrally.  However good practice (and experience) tells us that too much automation can be a bad thing.

One bit of scripting that can save an awful lot of headache is the ability to grant local administrative rights for users.

Granting overall network admin rights is extremely risky so best to keep the list of domain admins very short.



Open Active Directory Users and Computers
Select your Security Group OU
Right Click and select New > Group
Give the Group a name, I used “AUTOMATION”


Launch Group Policy Management Console.
Right click the OU that you want the GPO to apply to.
Select “Create a GPO…”
This will Launch Group Policy Editor.
Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
Right Click in the blank area and select New > Local Group > Administrators (Built-in)
Action: Update (This is the most important part).
Add the needed security group. I have added my AUTOMATION Security Group.
Click Apply.
Click OK.
Apply the GPO to the root of the domain OR the appropriate OU.


That’s the configuration bit, but once done you’d best force a gpupdate on the server and then the networked PCs

There is another method, but this one overwrites existing local admins apparently.

More information (and original article) at https://www.mowasay.com/2017/06/adding-a-security-group-to-the-local-administrator-group-in-ad/