Open the domain Group Policy Management console (GPMC.msc), create a new policy (GPO) AddLocaAdmins and link it to the OU containing computers (in my example, it is ‘OU=Computers,OU=Munich,OU=DE,DC=woshub,DC=com’).
- Edit the AddLocaAdmins GPO you created earlier;
- Go to the following GPO section: Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups;
- Add a new rule (New -> Local Group);
4. Select Update in the Action field (it is an important option!);
5. Select Administrators (Built-in) in the Group Name dropdown list. Even if this group has been renamed on the computer, the settings will be applied to the local Administrators group by its SID (S-1-5-32-544);
6. Click the Add button and select the groups you want to add to the local Administrators group (in our case, this is munWKSAdmins);
You can remove all manually added users and groups from the local Administrators on all computers. Check the “Delete all member users” and “Delete all member groups” options. In most cases, it is reasonable because you guarantee that only the approved domain groups will have administrator permissions on your domain computers. If you add a user to the Administrators group manually using the “Local users and groups” snap-in, it will be automatically removed next time when the policy is applied.
7. Save the policy and wait for it to be applied to the client workstations. To apply the Group Policy settings immediately, run this command
gpupdate /force on a user’s computer;8. Open the
lusrmgr.mscsnap-in on any domain computer and check the local Administrators group members. Only the munWKSAdmins group should be added to this group, while other users and groups will be removed (except for the built-in Windows Administrator account).
