SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

localadministratorgpo

Local Administrator GPO

Introduction

This is how to make a GPO to make every domain user a local administrator. Please remember that this is not best practice and you should have a really good reason to do this. The reason I did it is that software developers need local administrator rights to compile software. There isn't much I can do about it. The only thing I can do is have a good imaging policy. They break it, I image it!

AD Users and Computers

Creating the GPO can be done in a couple of ways. I take the easy way, with the Active Directory Users and Computers Console. Select or create the OU where you want the policy to be effective in and select the properties:
adusersandcomputers1.jpg
In the new windows select Group Policies and create a new one. Give the new GPO a name that's descriptive of it's function. Then select edit:
adusersandcomputers2.jpg
Go to “Computer Configuration” → “Windows Settings” → “Restricted Groups” and right click it, to select “Add Group”:
adusersandcomputers3.jpg
Type the name of the group you want to give local administrator rights to the computers beneath the OU:
adusersandcomputers4.jpg
In the new window, add “Administrators” to the “This group is a member of”:
adusersandcomputers5.jpg

Save your settings and you're done.

Refresh GPO

Remember that group policies can take a while before they are applied. They are refreshed and computer and user settings are applied in the following instances:

  • When a user logs on
  • When gpupdate is run at the client computer
  • At the refresh interval, if one is configured at that computer
    • By default:
      • Domain controllers are refreshed every five minutes
      • All other computers are refreshed every 90 minutes, with a random factor of up plus or minus 30 minutes (the offset interval)

You can change these settings using gpedit.msc, start it up and go to “Computer Configuration” → “Administrative Templates” → “System” → “Group Policy”:
gpedit.jpg

See this Microsoft knowledgebase article for more information on how to change these settings.

Refresh GPO remote

There are no ways to do a remote GPO refresh using Windows tools only. There are however several tool which will let you do this. This describes using psexec.exe, a lightweight telnet substitute that can be used to launch processes on remote Windows computers. It's originally from Sysinternals.

Once you've downloaded psexec, open a command prompt and type

psexec \\computer cmd 

where computer is the name or IP address of the remote desktop computer you are targeting. Once you've done this, you're looking at an interactive command prompt on the remote computer, and any command (like gpupdate /force) you now type will be executed on the remote machine instead of the local one. Of course, this can also be done on several computers automatically, when you use a computerlist:

Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:User /force
Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:Computer /force 
You could leave a comment if you were logged in.
localadministratorgpo.txt · Last modified: 2021/09/24 00:24 (external edit)