Manage Learn to apply best practices and optimize your operations.

Using GPOs to add accounts or groups to the local admin group

On Sept. 18 someone asked you if you could use GPOs to add accounts or groups to the local administrators group on the local workstations, as well as change the local administrator's password. Your response was "Nope." Were you just referring to the changing of the administrator account password? I'm using a GPO to change/add who is a member of the local admins group on the local workstation.
I was obviously not very clear in that answer! Thanks for pinging me on that. Yes, there is currently no direct way to manage the administrator passwords via group policy. However, you can manage the membership of the administrators group (or any other group) on the machines. This is done in the group policies' Computer Configuration ->Windows Settings -> Security Settings -> Restricted Groups. From here you can configure a group, the members allowed to be in the group and minimally to which groups the group is allowed to belong. Be very careful about making such policy changes in the default domain policy and the domain controllers policy! You could inadvertently lock yourself out of the machines and cause some real chaos. I would suggest creating a new organizational unit for the machines you want to control and then applying the policy there.

Dig Deeper on Windows systems and network management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.