Add local user to Admin Group


Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.

The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.

We prefered to not use scripting solutions so we came up with this :

-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.


-> Create a policy with 2 preferences. First one will clear the Local admin group.



-> Second preference will add the %SuperUser% to the local admin group


-> Define the item level targeting
Capture

Part 1 assigns the Value of the AD Managedby Attribute


Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)

Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

Attribute = The attribute will only be presented as output if the user is part of the group

Capture
Update ! this filter does not return the group membership if nested group membership is being used. You can alter the query in order to include the nested group membership like this :

(&(objectCategory=user)(distinguishedName=%managedby%)(memberof:1.2.840.113556.1.4.1941:=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

See http://social.technet.microsoft.com/Forums/en-US/8ebae09d-299c-4486-b188-ce1715f7bc36/question-about-using-an-ldap-filter-to-get-memberof-from-an-ad-group?forum=winserverDS for more information.

-> And test.


-> Remove user from group and run gpupdate.



-> And verify


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s