One of the issues may network administrators still face is that a lot of mission-critical software still expects (or even requires) local administrator rights in order to work properly. Besides the security implications of that, one of the biggest annoyances is managing which users actually need to have local admin. Thankfully, you can use a Group Policy Object (GPO) to help with this.
Here, we’ll create a GPO that places an AD security group into the local Administrators group.
- Create a security group and populate it with the users that need local admin permissions
- Create another security group and put all the computers that those users need to be admins on in it.
- Create a new GPO and link it against the root of your domain.
- Add the second security group (the computer list) to the “Security Filtering” on the new object so that only those computers apply the policy.
- Edit the policy and navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.
- Right-click in the (presumably empty) user list and select New > Local Group.
- If there’s a “trick” to this process, it’s this: you can’t delete built-in groups. So the only “Action” that makes sense here is “Update”; anything else is likely to just get you a
- From the “Group name” field, select “Administrators (built-in)”.
- Under “Members”, click the Add button and find the first group you created in step 1.
- Click OK.
Proceed with your normal group policy testing (Group Policy modeling, gpresult /H, etc.) and after a little while, all the users you in the first group above should have local admin privileges on all the machines in the second group. As you bring new users and machines online, you can just add them to the relevant groups instead of having to manually edit the local permissions.