1 min read

AD: Managing Local Administrator Group Memberships

Being able to easily delegate access to domain systems is essential for administrators to enable necessary IT staff to manage their environments. The proper OU structure along with the deployment of Active Directory GPOs makes this a fairly simple task.

GPOs can be used to add users or groups to local admins or to replace the existing memberships. Using GPOs ensures access is granted uniformly and consistently for a specific group of systems, ideally separated by their OU placement.

Follow the steps below to add to or replace the local admin memberships on domain systems. I’ll use the Exchange environment in this example, but the process can be applied to any OU or even at the domain level.

Adding members to local admin

  • Identify administrative security groups to be added to the local admins group on systems, i.e. Exchange_Admins
  • Open Group Policy Management Console and create a new group policy object to manage the configuration – Exchange_Configuration
  • Edit the Exchange_Configuration GPO
  • Expand Computer Configuration / Windows Settings / Security Settings / Restricted Groups
  • Right click Restricted Groups, and select Add Group
  • Browse and locate the Exchange_Admins group
  • Click Ok, Ok
  • A new window will open up and under ‘This group is a member of’, click Add
  • Enter BuiltinAdministrators
  • Click Ok, Ok
  • Right click the Exchange Servers OU and select Link an Existing GPO
  • Select the Exchange_Configuration GPO and click OK

To replace members in local admin

  • Identify administrative security groups to be added to the local admins group on systems, i.e. Exchange_Admins
  • Open Group Policy Management Console and create a new group policy object to manage the configuration – Exchange_Configuration
  • Edit the Exchange_Configuration GPO
  • Expand Computer Configuration / Windows Settings / Security Settings / Restricted Groups
  • Right click Restricted Groups, and select Add Group
  • Enter BuiltinAdministrators, click Ok
  • A new window will open up and under ‘Members of this group’, click Add
  • Browse and locate the Exchange_admins group
  • Click Ok, Ok
  • Right click the Exchange Servers OU and select Link an Existing GPO
  • Select the Exchange_Configuration GPO and click OK

Admins can make changes to the memberships, but the GPO will override any changes at the next refresh interval (approximately every 90 min). In both instances, removing the configurations will revert the local admin memberships to the original configuration.

Everything to Know About Cloud VDI and Azure Virtual Desktop

By now, most of us have experienced some form of remote work, whether it was during the height of the pandemic or now in the midst of the hybrid work...

What's New in SQL Server 2022 – Licensing Updates

SQL Server 2022 is now generally available and with it come some licensing changes you need to be aware of. Microsoft also announced that SQL Server...

Azure Modernization Assessment: Building a Robust Cloud-Ecosystem Starts Here

The pandemic may have accelerated the cloud journey trend, but cloud momentum isn’t slowing down anytime soon. Cloud adoption increased 25% in the...