Best Practice: How to use Group Policy Preferences to Secure Local Administrator Groups
One problem I see all the time is IT administrator never being able to control who is a local administrator of any particular computer. The problem is that when you give someone local admin access to a computer (because they legitimately need it) you cant stop them from giving admin access to someone else on the same computer. When this does happen it is also its almost impossible to discover as you have to run a query every computer to see who is in the local admin group and then figure out which account should be a member. Once solution to this is of course following Microsoft best practice and not give your users local admin access to their PC or Server and in an utopian environment this would be possible but we all live in the real world where managers have admin access to their PC’s and developers are allowed to install any software they want. So how do you give a users full admin access to a computer but stop them from adding more people to the local admin group on a computer? Use Group Policy Preference of course.
But first a bit of History… Since Group Polices were first introduced with Windows 2000 there was an setting called “Restricted Groups” which allows you to control the membership of a group. This option had two modes one called “Members” option which I also call the “Iron Fist” mode and the other “Members Of” option which is much gentler. The “Members” option removes any groups or users that are not explicitly specified and the “Members Of” option just adds a specific group which out removing any existing groups. The “Members” option was really good at cleaning up those rogue members of the local admin group but its was also really hard to setup as you had to have a new group policy every time you wanted a different list of members in local group on a computer. The “Members Of” option was a lot easier to maintain as you could layer multiple group policies on top of each other but this normally resulted in just adding another layer of group to the pile of groups that were already in the local administrators group. The other problem was the “Members” option would override the “Members Of” option so there was really no way of mixing the two modes.
BUT… Group Policy Preferences can use Variables which enabled you to be very extremely granular in controlling you local admin group while still having “Iron Fist” control. Muuhhaaaahahahahah!!!
How do I setup a restricted local administrator group?
The following steps will need to be applied to a GPO that is applied to the computer objects you want to control the local administrator groups. Note: You must make sure you don’t have any other Group Policy “Restricted Groups” settings applied to your computers as they will always override the group policy preferences settings.
Step 1. Open the Group Policy Management Consol and edit the group policy that is applied to the scope of computers that you want to control.
Step 2. Go to the Computer Configuration > Preferences > Control Panel Settings > Local User and Groups option (see Image 1.).
Image 1. Local User and Group
Step 3. Now click on Actions > New > Local Group
Step 4. Now you will be need to select “Administrators (built-in)” from the group name as this always selects the built-in administrators group even if you have renamed it to obfuscate the name of the admin account.
Step 5. Tick both “Delete all member users” and “Delete all member groups”. These two options will automatically remove any users or groups that are not explicitly being added to the group. You only need to do this on item number 1 in the list of settings as that setting will be processed last.
Step 6. Now you will need to make sure you have added back in the Domain Admin’s and Local Administrator groups so that you don’t totally lock yourself out of the computer. To do this click the “Add…” button to bring up the “Local Group Member” dialogue box (see Image 2)
Image 2. Local Group Member
Step 7. Now type “BuiltIn\Administrator” in the Name field and click OK (see Image 3.)
Note: The image below is wrong… it should be “BUILTIN\Administrator”
Image 3. Local Administrators group added to the local administrators group
Step 8. You should also add “DOMAINNAME\Domain Admins” as it is a good practice to have the DA account as a member of the local admin group on all computers in the domain. To do this we are going to use the DomainName variables. Click “Add…” again and now click in the “Name:” text field and then press F3. This will now bring up the “Select Variable” dialogue box (See Image 4.). Click on the “DomainName” field and press “Select” and then “OK”. (alternatively you could type %DomainName% in the name field and just press OK.)
Note: The image below is also wrong… The bottom image should be “BUILTIN\Administrator”
Image 4. Selecting the DomainName Variable
You should now see the following which will restrict the local administrator group to only have the Domain Admins and the local administrator.
Note: The image below is wrong. It should be “BUILTIN\Administrator”
Image 5. Basic local administration group setting
So what you as? I can do this already with the “Restricted Groups” Group Policy setting. Well only having the local Administrator and Domain Admin’s in the local admin group is not not much use unless you are willing to give everyone the local admin password or give them all Domain Admin’s privileges (Like that ever happens) when ever they needed admin access. Well again this is where Group Policy Preferences can help.
How to add individuals to a single computer?
Now we are going to go thorough how to add a uniquely named domain group to the local administrators group without having to set up multiple group policies objects. This scenario is very helpful if you want to grant a single user or group local administrators access on computer but still ensure that no other users or groups can be added without explicitly being approved. In the steps below the computer name is DESKTOP01 and the domain name is CONTOSO, we want to add the group “CONTOSO\DESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.
Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups.
Step 9. Now go back and repeat steps 3 to 6 until you get to the Local Group Member dialogue box again (see Image 6.).
Note: This creates a second local administrator group entry in the list to work around an issue.
Image 6. Add Local Group Member
Step 10. Type “%DomainName%\%ComputerName% Administrators” in the Name text field and click “OK” (Image 7.)
Image 7. Configuration to automatically unique group to local administrators group
Now this will now automatically add a domain group called “DOMAINNAME\COMPUTERNAME Administrators” to the local administrators group on the computer to which the policy is applied and your group policy should look like Image 8.
Image 8. Two local administrator group settings
Update: There are two separate local administrator group setting in the policy, the first one is the setting you see in image 5 and second one is the setting you can see in image 7.
However the “CONTOSO\DESKTOP01 Administrators” group will only be added to the local administrators group on the computer DESKTOP01 if that group is already exists. Therefore you do not need to create the group until the need arises to add an individual user or group to just a single computer.
Update: This policy will not create the group in your Active Directory called “DOMAINNAME\COMPUTERNAME Administrators” and you don’t have to create it unless you want to use it to grant permission to the computer. Once you have created the group you can then add a single user to the domain group… or multiple user accounts and groups. The other advantage of having this domain group is that it is the only place where you can grant admin access to the computer without it being automatically removed there fore it makes auditing who is a local administrator on a workstation much easier as you only have to audit the domain groups. This means that you can even report on who has access to the computer when the computer isn’t even connected to the domain.
This group policy setting combined with the other setting made earlier (see Image 5.) will mean that the local administrator group on the computer DESKTOP01 in the CONTOSO domain will have the following members automatically added to the group:
- CONTOSO\Domain Admins
- DESKTOP01\Administrator
- CONTOSO\DESKTOP01 Administrators
But ANY other users or groups will be automatically removed after the next group policy refresh. This does mean there is a slight window of opportunity for someone to slip in an un-authorised account into the local administrators group but they will get removed at the next policy update.
Side Note: I have found that users almost never complain that they cant add un-authorised user to the local admin account on computer. Go figure… 
AWSOME!!!! I hear you say… but wait there is more…
How do I add additional broader groups to the local administrators group?
Now that you are able to granuarlly add a single user or group to the local administrators group on a computer you might run into problems id you have more than a 1000 computers due to AD Token Bloat Issues . So to get around this we can setup some more broadly applied administrator groups to the computer that will give admin access to only a subset of computers such as all workstations or only the SQL Servers in your organisation.
Workstations Admin Groups
To apply a Workstation administrators group to the local administrators group on all workstations make sure you have a group policy only targeted to your workstations. This is normally pretty easy as most companies isolate their workstations computer accounts to one (or a select) number of Organisational Unit.
Step 11. Go back and repeat steps 6 and 7 but this time add the group “%DomainName%”\Workstations Administrators” in the name field. This will added the additional group “CONTOSO\Workstation Administrators” to the local admin group on all the workstations in your domain which will allow you to easily add all the Desktop Administrators in your organisation access to all the workstations without having to give them the local admin password or domain admin’s privileges.
Server Role Admin Groups
It gets a little tricker when you want to grant access to a server based on its role as server are sometime configured for multiple roles. So in these steps we are going to automatically added a domain group called “CONTOSO\SQL Server Administrators” to all the servers you have that have SQL Server installed on them. This will be very handy to making sure SQL service accounts or database administrators have admin access to all the servers that have Microsoft SQL Server installed. You can however make multiple version of these admin group for other roles (e.g. Exchange,SCCM,ISA) you just need to know what the best way to target the setting.
Step 12. First make sure you are editing a group policy that is applied to all your servers in your organisation.
Step 13. Repeat Step 9 and 10 and then we open the properties of the new policy setting and specify the group but this time we type “%DomainName%\SQL Server Administrators” in the name field.
Step 14. Click on the “Common” tab and then tick “Item Level Targeting” and click the “Targeting…” button.
Step 15. Click on the “New Item” in the menu bar and select the option you want to use to target all the SQL servers in your organisation and select the “File Match” option to look in the Program Files folder and see if a sub-folder exists called “Microsoft SQL Servers” (See Image 8). This is normally true for any server that has Microsoft SQL Server installed and so it will then automatically apply the SQL Server Admin group to that server if it was installed.
Note: In this example we tested that the “Microsoft SQL Server” folder exists but we could also make rule to test for the existence of a particular file or registry key.
Image 8. Testing to see if Microsoft SQL Server is installed.
Now any computer that SQL Server, MSDE or SQL Express installed will get the group “CONTOSO\SQL Server Administrators” automatically added to the local admin group.
This nice thing about this is that if SQL is installed on the server at some point in the future the SQL Admin group will be added automatically at the next group policy refresh without you having to do a thing.
Finally.. now you have tight control of the local administrator groups on all the computers in your domain it is now important to monitor and secure the domain groups that are being added to the local administrator groups as they now control who has admin access to all your computers. But I will save how to do that for another blog post…
Blog Post: How to use Group Policy Preferences to Secure Local Administrator Groups http://bit.ly/4MhTkO
How to use Group Policy Preferences to Secure Local Administrator Groups http://bit.ly/5DPmlu
A good write up when used in conjunction with auditing – How to use #Group #Policy Pref's to Secure Local Admin Groups – http://is.gd/6NWI7
This is where you lose me: “How to add individuals to a single computer?” Is this a required step to get all this to work? Also in the paragraph you do not list where this new group is going to be created. Im assuming it’s at the same location as the first preference was created? Also in that same paragraph, why would you want a different group for each computer (you said Desktop01, Desktop02, and Desktop03)? So you’re saying to create 3 groups (DESKTOP01 Administrators, etc)? Create these groups in the preferences or create the groups in Active Directory Users and Computers?
I just want a central group called WksAdmins, that I can add users to it and they will have the local admin access. Is that possible?
Very good article, I just got confused from this point on. Thanks…
I have made a few updates to this article and i have added another screen shot that should clarify how this should look like configured… Thanks for the feedback always appreciated.
See how to use Group Policy Preferences to Secure Local Administrator Groups http://bit.ly/5DPmlu
Alan,
Great post and thankyou. Been a fan of your work since TechEd09 and your performance with @superlilia!!
Question – We have approx 3000 machines on our network, and have a requirement for approx 500 users to have local admin rights on their machine. This solution looked perfect until you started takling about Token bloat issues, of which I am not familiar.
We don’t want to provide these users with access to all other 499 machines, and so the option to create a workstation-admins group won’t work for us. What are the implications of “Token Bloat” and do you have any suggestions how we can allocate an individual user local Admin rights to their machine only via GP or GPP?
Thanks in advance,
Mick
Never mind – I gave it some more thought, and created a sub OU that contained only the computers we wanted this to apply to and moved those machines that werw affeted by this into that sub OU. We the applied a new GP to only that sub OU with the “%computername% Administrators” being applied to it, and ensured that GP inheritnace to that OU is turned on. That way we’re not created a lot of unnecessary traffic etc and thus ensuring that we don’t get hit by “Token Bloat” issues … whatever they are!!! . Thanks again for you post on getting me started.
Mick
Token bloat is an issue when a user becomes a member of to many security groups… there is a limit of 500 to 1000 groups a user can be a member off (directly or indirectly) and then things will start to randomly break… this normally presents as an access denied or Out of Memory issue…. This may become an issue if you add one user to each of the 3000 security groups to give them admin access to all the comptuers… So… use %computername% administrators sparingly…
However if you are just creating the 3000 security groups and users are only going to be granted access to one of thoes comptuers then this is fine…
If you want to grant a single user (such as IT Support) admin access to all the workstations for this seperate OU then you want to apply another group called “Workstatation Administrators” which will be the same group applied to all the computers… that way a user can have admin access for all workstation by only being made a member of one group…
Hope it helps… Hope to see you at TechEd this year…
Hi,
This looks really useful but I’ve had no success at all in getting this to work in either our test lab or live network. The new members are not being added to the local group, but I can’t find any errors to say why. Is there any dependency on DCs for this functionality (ours are still Windows 2003)? Do you have any suggestions on how I can troubleshoot this?
Thanks
Robin
Hi,
sorry if my question will appear a bit stupid … I’m studing system servers by myself at home: enviroment test : Vmware with a W2k3 R2 domain.
Question: The screenshot above are of GPMC of windows 2008?? When I open my editor of policy there are different options.
(
Thanks for the furure answer.
Roberto
Yes… GPMC on Windows XP or Server 2003 would look different as they do not support Group Policy Preferences… GPMC on Vista/7 & 2008/2008 R2 would look the same (or very similar).
You version of AD should be fine…
Things to check…
1. Do you have the client side extentions installed
2. Have you split the “%computername% administrator” preference item into a seperate setting?
3. Have you done a group policy results report agains the computer to see what is being applied?
Your second point was spot on. I’d not followed your guide carefully enough and had added everything into the one preference item!
Thanks for your help
Robin
P.S. I don’t suppose you can use wildcard characters when identifying the new group member?
Robin. Yes.. You can use wild cards…
Is there an easy way to hide the Local Users and Groups control panel item from appearing?
Thank you,
John
You should be able to block the comptuer management contol pannel icon via group policy…. Under User Configuration > Policies > Administrative Templates > Control Panel > Hide specifiec Control Panel Items
[...] For more information on assigning local administrator access to computers via group policy check out my other article How to use Group Policy Preferences to Secure Local Administrator Groups [...]
Hi,
Great article. Is there a reason why you specify the domain name as a variable (%DOMAINNAME%\Domain Admins) as oppossed to the actual domain name (mydomain\Domain Admins)?
If you export the setting and apply it to anohter domain then the static “MyDomainName” will be wrong… This could be usefull in a single multi domain environment.
I am testing this GPO and whenever I add the BuiltIn\Administrators group to the GPO as in step 7 and test with gpupdate I get an error on the client: -
The computer ‘Administrators (built-in)’ preference item in the ‘Test Policy {8ACC7AF3-11F6-4F06-9586-45E 42F3C656}’ Group Policy Object did not apply because it failed with error code ’0x8007056c A new member could not be added to a local group because the member has the wrong account type.’ This error was supporessed.
Have you seen this warning and why does it occur?
What is the exact text of the user or group you are trying to add to the BuiltIn\Administrators group?
How to use Group Policy Preferences to Secure Local Administrator Groups http://t.co/CNPznXl #mvpbuzz
I get a similar error to the one that IanG mentioned. I am confused as to why you would have to add the built in admin group to itself anyway. Were you trying to add the built in admin account? From my testing the built in admin account remained in my local admin group despite not being mentioned in the GPO.
Anyone know if it is possible to use a varible substring? ie. %ComputerName:~0,10% in Group Policy Preferences?
No … variable substrings are part of the CMD shell, and are only acted upon from within a CMD shell (.bat/.cmd Files run within the CMD shell).
When you pass %ComputerName:~0,10% as a parameter outside of a CMD shell, it passes as the string (w/out quotes): “%ComputerName:~0,10%”
Whereas passing %ComputerName% as a parameter outside of a CMD shell will pass the actual computername.
I’m having the issue as IanG. I’am adding a single userto a single server. (domain\username). Everytime the GPO’s update this error shows up.
Found the cause…
Instead of adding the single user to the single server, I added a second GPP adding an SG, single user in the SG. And used the above example for for adding an SG with the condition (common) of “file folder”.
Also, from MS http://support.microsoft.com/kb/842217 relates the the specific error
@MikeFi I would have tried creating a seperate Group Policy Preferece Item to add the seperate user…
I’ve tried various combinations and I can’t get your example to work at all. All I get is an Administrators group with Administrator in it and nothing else. The following error keeps showing up.
The computer ‘Administrators (built-in)’ preference item in the ‘testAdminGroup {1EC221BF-3E61-434D-817C-1C07EDA42FB1}’ Group Policy object did not apply because it failed with error code ’0×80070534 No mapping between account names and security IDs was done.’ This error was suppressed.
I’m running Windows 2008R2
Hi,
Great article. It’s also possible to add wildcards to the targeting of the groups.
F.eks if you want the group “Workstation North Admins” to be added to the local administrator group for computers that start with the name “WS-NORTH-” then follow this procedure:
1. Click on the “Common” tab and then tick “Item Level Targeting” and click the “Targeting…” button.
2. Click on the “New Item” in the menu bar and select “Computer Name”
3. Enter “WS-NORTH-*” to the Computer Name field below.
This comes in handy when your domain computers have different names for each location.
Yes… Wildcards are very handy… of course you need to have a naming standard for your computers…
I originally thought that “BuiltIn\Administrators” in step 7 was a typo; as Jeff Harriss suggests, it doesn’t make sense to add the built in admin group to itself. So, when I used “BuiltIn\Administrator” (singular) I get the error that says “No mapping between account names and security IDs was done” (see Ivo’s post). Then I tried using the plural, “BuiltIn\Administrators”, and get the error that says “A new member could not be added to a local group because the member has the wrong account type” (see IanG’s post).
Following Jeff Harriss’ line of thought, I removed all membership entries and checked the boxes to “Delete all member users” and “Delete all member groups”. In theory one might think this would clear all entries in the Local Admins Group, thereby essentially locking everyone out. However, the built-in local Administrator account remained. This confirms Jeff Harriss’ assertion.
So, the entry in step 7 is unnecessary, even problematic. It seems to prevent subsequent member entries in the same preference item from taking effect, though I didn’t test further to isolate that behaviour. If nothing else, it just adds an extraneous error to the event log with each GP update. So, better to skip step 7 altogether IMHO.
Don’t get me wrong, though, this is otherwise a great post. It’s a novel idea to use an AD group for each PC (though I’ve decided to just stay the straight GPP route, putting all PC/user entries in a single GPO by using Item-Level Targeting). I greatly admire Alan Burchill’s body of work and knowledge he has contributed to the community!
Very interesting… this may explain the strange behaviou i have been seeing.. i will need to do some testing for myself. THanks
Looks like the “Stop Processing on errors” option is enabled even if the option is not ticked (see common tab)… I am asking the powers that be to see if they can reproduce this issue.
Super article. My only hesitation is that if I were to implement the individual Administrator group strategy for servers (workstations too – but I’m less worried about those), anyone who has the ability to create groups in Active Directory could simply grant themselves Administrator access to servers by creating the properly named group and adding themselves as a member. I was trying to see if there was a way to setup the targeting to check to make sure that the group is in a particular locked down OU rather than just anywhere in the domain. Does anyone have any suggestions on how to close that gap?
Good point… i never thought of that. If you did want the groups secure you could of course make them in advanced (at least for your servers) and then put them in a secure OU.
Alan:
I too am running Win XP Pro on my workstation & the AD server I am trying to get this setup on is running Win 2003 SE SP2. Can you elaborate on your suggestions made earlier:
You version of AD should be fine…
Things to check…
1. Do you have the client side extentions installed
2. Have you split the “%computername% administrator” preference item into a seperate setting?
3. Have you done a group policy results report agains the computer to see what is being applied?
I am unfamilier with ensuring the 3 items you mention.
Thank you in advance for your time in responding, I appreciate it.
Hi…this is Ajay.
I want to add domain user group to Local computer Administrators group using GPO or Script….
I dont want use restricted group in gpo…
Any suggestions
Thanks & Regards,
Ajay
How to use Group Policy Preferences to Secure Local Administrator Groups http://t.co/QDXzjHF
How to use Group Policy Preferences to Secure Local Administrator Groups http://t.co/QDXzjHF
RT @alexverboon: How to use Group Policy Preferences to Secure Local Administrator Groups http://t.co/QDXzjHF
Hi, its a good article but small remark: After settings this the “discription” is gone “Administrators have complete and unrestricted access to the computer/domain”
Hi Alan,
The article is really informative, but I am still fuzzy on a few details on how to create a GPP that adds a specific user to an individual computer that is applied to an OU containing workstations. The closest I have come to doing this is by creating a GPP that that has an altered user configuration and is applied to an OU containing users. I had the GPP add the current user logged in become part of the local admin group and set the GPP to apply once. It added the current user but only after a log off then on or reboot. To make matters worse, the next user I logged in with also was added to the local admin group on the workstation. I thought the GPP was supposed to be applied once! Is there a generic GPP that can add one user to the machine they are tied to and can be applied to a workstation OU? Or does this magical policy only exist in my imagination? Any help would be appreciated. Thank you!
@tom Add the GPP setting to add the group called “%computername% Administrator” then create a group in AD called “COMPUTERNAME Administrators” (substitute the actual computer name for the COMPUERNAME eg. “DOMAINNAME\WINXPPC01 Administrators”) then add the individual user to the AD group.
The magic is that GPP will automaticlly convert the %computername% administrator entry to the local computer name.
If that does not help feel free to ask for more help..
Hi Alan,
Thanks for the great article, it helped address one of our main issues with assigning local admin permissions before the days of GPP.
However, I am experiencing a slightly unusual problem that may or may not be related to this but I just wanted to know if you or anyone else had seen this before. The problem is after I’ve made a user a local admin by adding them to the “%computername% Administrators” group, the user gets local admin permissions and they can do the stuff that needs admin rights. However, there are a couple of things that don’t work, for example if I go to System in Control Panel I can’t open Remote Settings, System Protection or Advanced System Settings but I can open Device Manager without any issues. When I say I can’t access these items, I mean I click on the option and nothing happens, no error, no UAC prompt just nothing at all. If I logon as a different user that is assigned admin permissions in a different way (for example they are a member of a group that is added in the “first” local administrators GPP) then it works fine.
Hope this makes sense and I’d really appreciate any thoughts on why this happens and if anyone else has seen the same thing?
Thanks all
Mike
Alan,
Thank you so much for your response. Just to be clear though, this would require a group to be created for each individual computer, correct?
@Tom . Yes. However you only need to create the groups as required.
I was using restricted groups but I need to map one user to one PC as a local administrator, so I am using GPP. I guess I am missing something. I created the GPP “%computername% Administrators”. I created a group in the OU that that the PC resides named “computername Administrators” I added the user account to be a Member Of the group. It’s not working…No event viewer log entries, not adding anything to the local administrators group, no rights… Help!
I am using Windows 2008 R2 domain controllers, and Windows Xp clients with the Group Policy Extention patch installed.
Thank you for the great article. I am trying to add users from a different domain to the local administrator group. In GPMC, I can’t switch locations. Can I just type in the domain name followed by the user name? What exact syntax would be required? I don’t have access to the other domain but want to give a few of their people (help desk) local admin access to our computers.
DOMAINNAME\GROUPNAME however the Group will need to be universial otherwise it will not added to the local group.
That sounds easier. I created the Universal Security group and added it to the policy. Oops! I just realized, I’m not talking about adding people from a different domain… it’s a different forest. Big difference! How can I give people (help desk) from a different forest local admin access to the PC’s in our forest?
Hi Alan,
I have a requirement to lock down local users on a Windows 2003 Member server. It is a 2003 Domain environment.
Requirement :Local IDs in the server need to be lock down( Deny Logon Locally and Deny Terminal Services Logon)
Problem: Currently GPO enabled in AD to lock down DomainIDs so we are not able to edit GPO locally to add local IDs.
So need to find a solution to lock down local IDs without disturbing Domain GPO.
How can I achieve this without disturbing the existing Domain GPO
I would like to know if this can be achieved through GP Preferences or is there any other method to follow. And also please provide steps or any blog / link which helps me in detail to configure.
hi,
in a company we have AD with 3000 users, i want to use a policy that some specific users to be a local administrator of some specific computers, how could i do that,,/? i read “How to add individuals to a single computer?”, and i have a question, where we determine which user be an admin of which comuter?
thanks
Helen
@Helen when you setup the targeting of the policy use
if Computer Name = “COMPUTERNAME HERE”
AND if member of Security Group X
That should work… but i have never tried. Please tell me how it goes…
Hi Alan,
I have Smal query.. in my company i can see uwanted user are accessing the server .. i have planned everything and consolidate and made plan who going to access the server with admin permission . But I have come across one strange thing is all the server administrtor need admin access so i have created a security group for the same. and move all the member into that group to gain the admin access. now one more challange is i have some of the user to be given as power user access.. But in Buldin/ad i cant able to find the power user . so i can able to Puser the user vio GPo.. Can you advice me .. and correct me if iam worng in some way..
Thanks
vijaykumar.P
Alan,
With my GPP when I do created the security group I get eventid warning logged on the system. Is there anyway to avoid. I want it to skip and moveon without any signs of the group missing. Is this expected or how can I avoid? Am I doing something wrong.
Log Name: Application
Source: Group Policy Local Users and Groups
Date: 8/16/2011 2:19:20 AM
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: xxxx
Description:
The computer ‘Remote Desktop Users (built-in)’ preference item in the ‘xxxxxxxx’ Group Policy object did not apply because it failed with error code ’0×80070534 No mapping between account names and security IDs was done.’ This error was suppressed.
Thanks,
Andrew
If the group does not exist you will get this warning message… It is safe to ignore…
Hi I got a following error on my machines
The computer ‘Administrators (built-in)’ preference item in the ‘Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}’ Group Policy object did not apply because it failed with error code ’0x8007056c A new member could not be added to a local group because the member has the wrong account type.’ This error was suppressed.
Hope you could help me solve this…
Hi, I would like to thank you for your tip here..I did manage to use it however, the users in my local admin group cannot run the logon script which is also in my Group Ploicy…Howerver, those users outside my local admin group (the Doamin Users and Domain Admins) can run the logon scripts..I don’t know why this happens to the users who belongs to the local admin group..Hope you could help me with this…
Anyway, I manage to solve my previous post by not performing the Step 7…Thanks.. Great Work..:)
Alan,
I have not been able to get the “DOMAINNAME\COMPUTERNAME Administrators” piece to work. The entry does not appear in the Local Administrators group. Does the actual security group need to be created before it will appear?
I also get the following warning in the event viewer:
The computer ‘Administrators (built-in)’ preference item in the ‘testAdminGroup {1EC221BF-3E61-434D-817C-1C07EDA42FB1}’ Group Policy object did not apply because it failed with error code ’0×80070534 No mapping between account names and security IDs was done.’ This error was suppressed.
Yes. You need to create the group for it to be added to the local computer… the warning you get is expected if you have not created the group in the domain.
“Step 11. Go back and repeat steps 6 and 7 but this time add the group “%DomainName%”\Workstations Administrators” in the name field. This will added the additional group “CONTOSO\Workstation Administrators” to the local admin group on all the workstations in your domain which will allow you to easily add all the Desktop Administrators in your organisation access to all the workstations without having to give them the local admin password or domain admin’s privileges.”
Just to clarify… I completed these steps. Now what name do I give this group? “Workstation Administrators” or is this created automatically and I just add the users. thanks for a great article.
You will need to create a group explictly called “Workstaiton Administrators”
Alan,
I have a question regarding inheritance of this GPP as it pertains to the updating of a built-in local administrators group.
Say we apply a GPP at the site leve to delete existing group-type members of the group and then to update the membership with the desired group-type membership. Let us also assume that a second GPP is applied at the OU level that is only configured to further update the membership of the same group.
Assuming a workstation is within scope of both policies, should the membership of the group in question contain the membership as configured in both the site GPP as well as the OU GPP or will the OU GPP override the configuration of the site GPP?
There’s a lot of “it depends” in that one, but the basic answer is this:
GP is applied in order, sequentially, from the base of the tree (domain level) to the ends of the branches (sub-OUs). To see the order of application of all your GPs:
1. From the Test Desktop/Workstation, open Command Prompt
2. Type (and press enter, afterwards): gpresult
a. Win7: Must be run with a Domain User with Local Admin rights. Also, the command is slightly different: gpresult /R
3. Look for: COMPUTER SETTINGS > Applied Group Policy Objects
a. This is a list of ALL GPOs that are in scoped and applied to this computer.
i. (non-applied GPOs will be listed after this section in the “… filtered out” section.
b. These GPOs are applied from the bottom of the list to the top.
i. This means that the GPO on bottom is applied first and the GPO on top is applied last.
ii. This means that the GPO on top overwrites the GPOs below it.
And there you have it! Now that I’ve taught you to fish, let me know what you catch!