Q

Using GPOs to add accounts or groups to the local admin group

On Sept. 18 someone asked you if you could use GPOs to add accounts or groups to the local administrators group on the local workstations, as well as change the local administrator's password. Your response was "Nope." Were you just referring to the changing of the administrator account password? I'm using a GPO to change/add who is a member of the local admins group on the local workstation.
I was obviously not very clear in that answer! Thanks for pinging me on that. Yes, there is currently no direct way to manage the administrator passwords via group policy. However, you can manage the membership of the administrators group (or any other group) on the machines. This is done in the group policies' Computer Configuration ->Windows Settings -> Security Settings -> Restricted Groups. From here you can configure a group, the members allowed to be in the group and minimally to which groups the group is allowed to belong. Be very careful about making such policy changes in the default domain policy and the domain controllers policy! You could inadvertently lock yourself out of the machines and cause some real chaos. I would suggest creating a new organizational unit for the machines you want to control and then applying the policy there.
This was first published in December 2002

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close