By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
On Sept. 18 someone asked you if you could use GPOs to add accounts or groups to the local administrators group on the local workstations, as well as change the local administrator's password. Your
was "Nope." Were you just referring to the changing of the administrator account password? I'm using a GPO to change/add who is a member of the local admins group on the local workstation.
I was obviously not very clear in that answer! Thanks for pinging me on that. Yes, there is currently no direct way to manage the administrator passwords via group policy. However, you can manage the membership of the administrators group (or any other group) on the machines. This is done in the group policies' Computer Configuration ->Windows Settings -> Security Settings -> Restricted Groups. From here you can configure a group, the members allowed to be in the group and minimally to which groups the group is allowed to belong. Be very careful about making such policy changes in the default domain policy and the domain controllers policy! You could inadvertently lock yourself out of the machines and cause some real chaos. I would suggest creating a new organizational unit for the machines you want to control and then applying the policy there.