IT, Microsoft, Windows Server

Group Policy for Enabling Local Admin


For this post, I will write about an awesome feature – group policy – that allows IT admins to control user computer configurations all from one place (a.k.a. server). I am familiar with the term, something I learned from a workshop years ago, but it wasn’t until a week ago that I’ve gotten to use it at work. It is a pretty neat feature; it saves time (no need to inspect each computer one by one anymore) and can do great damage (great for IT admins, not so great for the end users).

Group policy can be used for just about anything – enabling firewall, disabling jump drives, even  installing and assigning software in all of the computers!

Last week our IT Security Team was facing a dilemma – how to prevent users from installing non-approved software on their laptop. The solution? Removing their local admin rights and changing them into normal “Users”. Yes, the users will scream and shout, but it will prevent any malware from getting into the system..

Okay, let’s get to it!

Goal: To create a GPO (group policy object) that will allow only a handful of users to become local admins while the rest are normal users.

There are two parts to this tutorial: creating the security group (Local Admins) and creating the GPO to only allow the security group to have local admin privileges.

Creating the security group

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name (for this tutorial, I am using “Local Admins”)
  5. Add the users who can have local admin rights to this Group

Creating the GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I am using “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “Local Admins” and “Domain Admins”
    8. Close window
    9. Right Click (still on the Restricted Groups page) and select “Add Group…”
    10. Select browse and add the Local Admins group
    11. Select OK
    12. Double click Local Admins
    13. Select Add for “This group is a member of:”
    14. Browse and add Administrators

So, it should look like this once you have configured everything:





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s