Quick Tip ! Group Policy Preference Issues

September 4, 2013


Used a scheduled task ( immediate ) as a group policy preference item and now I recieve this when verifying the result using the console.

Added logging to the group policy console as described here :


Result of the log file :

Solution :

See http://support.microsoft.com/kb/2642947

Install the applicable hotfixes, REBOOT and retest.


Add local user to Admin Group

November 22, 2011

Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.

The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.

We prefered to not use scripting solutions so we came up with this :

-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.

-> Create a policy with 2 preferences. First one will clear the Local admin group.

-> Second preference will add the %SuperUser% to the local admin group

-> Define the item level targeting

Part 1 assigns the Value of the AD Managedby Attribute

Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)

Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

Attribute = The attribute will only be presented as output if the user is part of the group

Update ! this filter does not return the group membership if nested group membership is being used. You can alter the query in order to include the nested group membership like this :


See http://social.technet.microsoft.com/Forums/en-US/8ebae09d-299c-4486-b188-ce1715f7bc36/question-about-using-an-ldap-filter-to-get-memberof-from-an-ad-group?forum=winserverDS for more information.

-> And test.

-> Remove user from group and run gpupdate.

-> And verify