Being able to easily delegate access to domain systems is essential for administrators to enable necessary IT staff to manage their environments. The proper OU structure along with the deployment of Active Directory GPOs makes this a fairly simple task.
GPOs can be used to add users or groups to local admins or to replace the existing memberships. Using GPOs ensures access is granted uniformly and consistently for a specific group of systems, ideally separated by their OU placement.
Follow the steps below to add to or replace the local admin memberships on domain systems. I’ll use the Exchange environment in this example, but the process can be applied to any OU or even at the domain level.
Adding members to local admin
- Identify administrative security groups to be added to the local admins group on systems, i.e. Exchange_Admins
- Open Group Policy Management Console and create a new group policy object to manage the configuration – Exchange_Configuration
- Edit the Exchange_Configuration GPO
- Expand Computer Configuration / Windows Settings / Security Settings / Restricted Groups
- Right click Restricted Groups, and select Add Group
- Browse and locate the Exchange_Admins group
- Click Ok, Ok
- A new window will open up and under ‘This group is a member of’, click Add
- Enter BuiltinAdministrators
- Click Ok, Ok
- Right click the Exchange Servers OU and select Link an Existing GPO
- Select the Exchange_Configuration GPO and click OK
To replace members in local admin
- Identify administrative security groups to be added to the local admins group on systems, i.e. Exchange_Admins
- Open Group Policy Management Console and create a new group policy object to manage the configuration – Exchange_Configuration
- Edit the Exchange_Configuration GPO
- Expand Computer Configuration / Windows Settings / Security Settings / Restricted Groups
- Right click Restricted Groups, and select Add Group
- Enter BuiltinAdministrators, click Ok
- A new window will open up and under ‘Members of this group’, click Add
- Browse and locate the Exchange_admins group
- Click Ok, Ok
- Right click the Exchange Servers OU and select Link an Existing GPO
- Select the Exchange_Configuration GPO and click OK
Admins can make changes to the memberships, but the GPO will override any changes at the next refresh interval (approximately every 90 min). In both instances, removing the configurations will revert the local admin memberships to the original configuration.
