Add local user to Admin Group

Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.

The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.

We prefered to not use scripting solutions so we came up with this :

-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.

-> Create a policy with 2 preferences. First one will clear the Local admin group.

-> Second preference will add the %SuperUser% to the local admin group

-> Define the item level targeting

Part 1 assigns the Value of the AD Managedby Attribute

Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)

Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

Attribute = The attribute will only be presented as output if the user is part of the group

Update ! this filter does not return the group membership if nested group membership is being used. You can alter the query in order to include the nested group membership like this :


See for more information.

-> And test.

-> Remove user from group and run gpupdate.

-> And verify


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s