Skip to the main content.

1 min read

AD: Managing Local Administrator Group Memberships

Being able to easily delegate access to domain systems is essential for administrators to enable necessary IT staff to manage their environments. The proper OU structure along with the deployment of Active Directory GPOs makes this a fairly simple task.

GPOs can be used to add users or groups to local admins or to replace the existing memberships. Using GPOs ensures access is granted uniformly and consistently for a specific group of systems, ideally separated by their OU placement.

Follow the steps below to add to or replace the local admin memberships on domain systems. I’ll use the Exchange environment in this example, but the process can be applied to any OU or even at the domain level.

Adding members to local admin

  • Identify administrative security groups to be added to the local admins group on systems, i.e. Exchange_Admins
  • Open Group Policy Management Console and create a new group policy object to manage the configuration – Exchange_Configuration
  • Edit the Exchange_Configuration GPO
  • Expand Computer Configuration / Windows Settings / Security Settings / Restricted Groups
  • Right click Restricted Groups, and select Add Group
  • Browse and locate the Exchange_Admins group
  • Click Ok, Ok
  • A new window will open up and under ‘This group is a member of’, click Add
  • Enter BuiltinAdministrators
  • Click Ok, Ok
  • Right click the Exchange Servers OU and select Link an Existing GPO
  • Select the Exchange_Configuration GPO and click OK

To replace members in local admin

  • Identify administrative security groups to be added to the local admins group on systems, i.e. Exchange_Admins
  • Open Group Policy Management Console and create a new group policy object to manage the configuration – Exchange_Configuration
  • Edit the Exchange_Configuration GPO
  • Expand Computer Configuration / Windows Settings / Security Settings / Restricted Groups
  • Right click Restricted Groups, and select Add Group
  • Enter BuiltinAdministrators, click Ok
  • A new window will open up and under ‘Members of this group’, click Add
  • Browse and locate the Exchange_admins group
  • Click Ok, Ok
  • Right click the Exchange Servers OU and select Link an Existing GPO
  • Select the Exchange_Configuration GPO and click OK

Admins can make changes to the memberships, but the GPO will override any changes at the next refresh interval (approximately every 90 min). In both instances, removing the configurations will revert the local admin memberships to the original configuration.

Important 2024 Microsoft Licensing Updates

Important 2024 Microsoft Licensing Updates

There is some big news in the world of Microsoft licensing this month! In the summer of 2023, Microsoft modified the licensing for Microsoft 365,...

Transforming TCRG's Legacy Systems into a Secure Cloud Future with CloudServus

Transforming TCRG's Legacy Systems into a Secure Cloud Future with CloudServus

TCRG (The Consolidated Rehab Group), specializing in vocational rehabilitation for military personnel and veterans, partnered CloudServus, a leader...

The Power of Microsoft Copilot for Security: Insights from a Recent Whitepaper

The Power of Microsoft Copilot for Security: Insights from a Recent Whitepaper

At CloudServus, we continuously explore innovative solutions to enhance cybersecurity effectiveness and efficiency. Our team recently came across an ...