In every organization there will always be the need to have administrators of some sort manage some number of the machines in the domain. We also want to follow the path of least privilege, so using your Domain Admin (DA) account to do your daily admin tasks is not going to cut it. Remember, DA accounts should only be used for tasks that require such privileges, tasks such as Finding Lockout Sources in Active Directory. A Domain Admin should not be used for logging into a random workstation or server to perform certain tasks. For this reason, we need the ability to add local administrators via GPO and separate privileges for admin accounts.
Best Practices is an admin that has a DA account should have the following accounts with privileges.
- Domain Admin: Used for very limited tasks that actually require DA access.
- Server Admin: Used for logging into servers. This account is NOT a Domain Admin and is not an admin on any workstations.
- Workstation Admin: Used for administering end user workstations. This account is NOT a Domain Admin and is not an admin on any Servers.
- Regular Account: Account used for email and general day to day tasks. This account is not an admin on any servers or any end user workstations.
Typically, I find that it is generally easy to remember if you insert a prefix along with your username.
- da-bsmith: Domain Admin Account.
- sa-bsmith: Server Admin Account.
- wa-bsmith: Workstation Admin Account.
- bsmith: Regular everyday account.
Add Local Administrators via GPO (Group Policy)
So unless you already have delegated privileges, you will need Domain Admin access to enable or create group policies (ironically enough). Here are the steps to add local administrators via GPO.
- Open Group Policy Management Editor (GPMC)
- Create a New Group Policy Object and name it Local Administrators – Servers
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. Right Click on the right panel and select Add Group
- Browse for the Active Directory Group you wish to add as a local admin
- Select This group is a member of (#1 Below) – This step is extremely important. Selecting Members of this group will wipe out all current admins.
- Select Browse (#2)
- Type Administrators (#3) – Note: Be sure to add “s” at the end
- Click Check Names (#4) to make sure it resolves and click OK
- Close out of the window
- Highlight the Local Administrators – Server Policy and go to the Details Tab. On the GPO Status Dropdown select User Configuration Settings Disabled
- The final GPO should look like my screenshot below
Apply the Group Policy to your Organizational Unit
- Right Click your preferred OU and select Link an Existing GPO
- Select Local Administrators – Servers GPO
- Close out of GPMC.
Verifying Your Group Policy Works
- Login to any server in the OU you applied the policy to
- Open up a command prompt or Powershell Window
- Type GPUpdate /force
- Check Local Adminstrators Group and you group should be added
Add Local Administrators via GPO Video Demo
I somehow have changed the name for the Administrators group in the Computer Management console when creating the group to add the GPO rule to. Also, it seems that all my admin accounts are gone. Should i just reinstall AD and basically rebuild my environment? Any help you can offer is appreciated.
Hi,
can we create restricted/low-privileged rules for the Junior System administrator as set role-based access
How can I add built-in Network Service As a member of a group on all machines as a part of GPO?
What issue are you trying to solve by adding this?
Thank you so much, you helped me a lot
Is it possible to add local administrators with a powershell skript or is it only possible through the GUI?
From and elevated command prompt
Net localgroup administrators “User Name” /add
Is there a way to force the users from the GPO into the actual local users section on the PC? This way the admin users can log in when there is no connection to the domain?
Not GP, but via cmd you can do:
net localgroup administrators [email protected] /add