How To: Manage Local Administrators Using Group Policy and One Simple Security Group

In this guide, I am going to explain how to manage local administrators using Group Policy in a domain environment.

The Reason Why

Recently I was tasked with granting Local Administrator access to our HelpDesk group. The easy way would have been to “spill the beans” and hand out our local administrator password.  However, out of security purposes we decided against that.

Rather, access was granted to a security group and that group was added to the local administrators group on every computer in our domain. This was accomplished all through the use of a GPO (Group Policy Object).

Here is how I deployed it.

Step 1 – Make Sure You Have A Security Group

We could have easily just added user accounts when deploying the GPO however, that is not the easiest way to manage local administrators.  This is because every time that there is a change that is needed, the GPO would have to be modified.  By using a security group, changes can easily be made to it and the policy does not need to be touched again.

Step 2 – Create Your GPO

1. Log into one of your domain controllers
2. Open Group Policy Management Console
3. Locate the Group Policy Objects Folder/Container
4. Right click on the Group Policy Object folder and Select “New”
5. Now give your policy a name. I named mine CC-Local Administrators Mgmt
6. Next locate your newly created policy
7. Right click on it and select “Edit”
8. Browse to Computer Configuration>Policies>Windows Settings>Security Settings>
9. Select Restricted Groups
10. Right click on Restricted Groups and Select “Add Group…”
11. The dialog box will open and will ask you to select your group.
12. Enter “Administrators” and click OK
13. Now you will enter the security groups that you want to have local administrator access into the “Members of this group:”
14. Click “Add…” under the “Members of this group:” container
15. Click OK once completed
16. Now you will need to attach/link the new GPO to the OU that contains the computers that you want to have this setting apply to

Step 3 – Test Deployment

Once that is set, go to a PC on the domain and run gpupdate /force a couple of times and then check the local administrators group on the PC to verify that the security group is now listed.

All done! You can now easily manage local admins from a security group!

Remember that once this is set all other previous users in the local administrators group will be removed. Make sure to add Domain Admins into the security group as well.