Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.
The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.
We prefered to not use scripting solutions so we came up with this :
-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.
-> Create a policy with 2 preferences. First one will clear the Local admin group.
-> Second preference will add the %SuperUser% to the local admin group
-> Define the item level targeting
Part 1 assigns the Value of the AD Managedby Attribute
Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)
Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))
Attribute = The attribute will only be presented as output if the user is part of the group
Update ! this filter does not return the group membership if nested group membership is being used. You can alter the query in order to include the nested group membership like this :
See http://social.technet.microsoft.com/Forums/en-US/8ebae09d-299c-4486-b188-ce1715f7bc36/question-about-using-an-ldap-filter-to-get-memberof-from-an-ad-group?forum=winserverDS for more information.
-> And test.
-> Remove user from group and run gpupdate.
-> And verify