Problem: Office politics made it impossible to take away all administrative rights for some staff members. You need a painless way to delegate administrative rights to certain users without jeopardizing the security of many machines.
Solution: Use User Configuration – Local User and Groups Preferences to add and remove users depending on who is logged on. Ready to see it in action? Read on
Manage Administrative Permissions with Group Policy Preferences
Start by creating two security groups in Active Directory named something like:
- Local Admin Computers
- Local Admin Users
Add the users needing administrative rights to the Local Admin Users group. Any computer that they need the permissions on should be added to the Local Admin Computers group. I prefer using two separate groups as I do not like to have multiple object types in the same security group.
Create a new GPO named Restricted Group: Additional Local Admins. Though we will be using Group Policy Preferences, I like keeping the GPO prefix the same as my other restricted groups GPOs. Under Security Filtering, add both groups that you created earlier. We will be using loopback for this GPO – both the user and computer will need permissions to apply the GPO. The GPO should be linked to a OU containing members of the Local Admin Computers security group.
Edit the GPO. If your computers do not already have loopback enabled, navigate to Computer Configuration/Policies/Administrative Templates/System/Group Policy. Enable Configure user Group Policy loopback processing mode and set the mode to Merge. Ensure that the GPO is processed when a member of Local Admin Users logs into a computer in the Local Admin Computers group. If not, see this Group Policy troubleshooting guide.
Under User Configuration, navigate to Preferences/Control Panel Settings/Local Users and Groups. Select New – Local Group. Under Group Name, select the search button (…) and search for Administrators. Make sure that the scope is set to the local computer’s account. Enable Add the current user and check the Delete all member users box. Your preference should look like the screenshot below:
You are done! Easy right? Now, how will this preference interact in a live environment?
What is going on behind the scenes with GPP Local Users and Groups
We have a user, Abigail Admin. She is a member of the Local Admin Users group. When she logs into PC-01 (which is a member of Local Admin Computers), she will be made an administrator on her first logon! When she logs into PC-02 (which is not a member of Local Admin Computers), she will not be an administrator.
If Adam Admin (who is also a member of Local Admin Users) logs into PC-01, Abigail is removed from the administrators group and Adam will be added. This keeps our Administrators group clean and minimizes potential issues.
This method is significantly better than making all members of the Local Admin Users group administrators on every computer in the Local Admin Computers group. Only one user is an administrator of a single computer at a time. If you wanted to get more granular, you could even create specific security groups and use Item Level Targeting to do 1:1 matches.
Local Users and Groups Preferences pair nicely with Restricted Groups. GPP will overlay changes on top of policies deployed by Restricted Groups (either in Append or Clear modes). Groups controlled by Restricted groups will still be populated as normal.
How are you managing group memberships? Will Group Policy Preferences make the process easier?