Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.
The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.
We prefered to not use scripting solutions so we came up with this :
-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.
-> Create a policy with 2 preferences. First one will clear the Local admin group.
-> Second preference will add the %SuperUser% to the local admin group
Part 1 assigns the Value of the AD Managedby Attribute
Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)
Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))
Attribute = The attribute will only be presented as output if the user is part of the group
-> And test.
-> Remove user from group and run gpupdate.
-> And verify