Ask the Expert

Using GPOs to add accounts or groups to the local admin group

On Sept. 18 someone asked you if you could use GPOs to add accounts or groups to the local administrators group on the local workstations, as well as change the local administrator's password. Your response was "Nope." Were you just referring to the changing of the administrator account password? I'm using a GPO to change/add who is a member of the local admins group on the local workstation.

    Requires Free Membership to View

I was obviously not very clear in that answer! Thanks for pinging me on that. Yes, there is currently no direct way to manage the administrator passwords via group policy. However, you can manage the membership of the administrators group (or any other group) on the machines. This is done in the group policies' Computer Configuration ->Windows Settings -> Security Settings -> Restricted Groups. From here you can configure a group, the members allowed to be in the group and minimally to which groups the group is allowed to belong. Be very careful about making such policy changes in the default domain policy and the domain controllers policy! You could inadvertently lock yourself out of the machines and cause some real chaos. I would suggest creating a new organizational unit for the machines you want to control and then applying the policy there.

This was first published in December 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: