How to Enable Local Administrator Accounts on Windows Active Directory 2012 and > using Group Policy (GPO)

If you want your Domain Admins to have rights on all user PCs the best way to accomplish this is to use GPO to push out local administrators across a domain. First start of by creating a Group on your Domain, for simplicity sake call it “Local Administrators”. Once you have created this group add a few users to it, and then close the dialogue screens for this.

Next you want to open the “Group Policy Editor which will bring you to Group Policy Management for your Domain. While it is possible to apply this policy to your default Domain Policy it is recommended that a new Policy is created for this purpose. In this case, right click on your Domain, eg. contoso.local, and select “Create a GPO in this domain, and link it here.”. This will prompt you to enter a name for the Policy you are adding, which would logically be something like  “Local Administrators”. Once this policy is created (you will see it under your Default Domain Policy, under your domain), right click it and select “Edit”. From here navigate to: Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups and add the “Local Administrators” group you created earlier.

You are now done and the group policy should by default push in around 15 minutes. If you confirm it is working immediately, first push the policy from the Domain Controller, using “gpupdate”, then login to a Domain Computer and run the same. At this point you should see your “Local Administrators” group under the Administrators group for the machine you are testing.

Just in case //

Re-cap of steps

  1. Define Security Group eg. “Local Administrators”
  2. Add the Domain Admins or Users desired to this group.
  3. Open (from the Server Admin Page) Tools -> Group Policy Management.
  4. Right click on your domain OU and select “Create a GPO in this domain, and Link it here…”
  5. Now that you’ve created this policy right click on it again, and click “Edit”.
  6. Next expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  7. Add “Administrators” to this group (and it is also a good idea to add “Remote Desktop Users”).
  8. Click Ok
  9. On a Domain Controller Execute “gpupdate /force” and you will now see Local Administrators as part of the Administrators group on each individual host on your domain.

 

No comments yet.

Leave a Reply