Restricted Groups! Argh! We have all done this at least once: Setup a restricted group thinking it would add to the local administrators group of the local machines for the users only to find that the policy removes the existing members and replaces them with the users defined by the policy. This is great if every machine has same set of requirements for who should be local administrators. This is seldom true.
Wouldn't it be nice for the user to be able to call the help desk to request permission to be local admin of their machine and with proper approval have the help desk place that user in the local administrators without adding them to every machine (restricted group policy) and without having to modify a GPO AND without manually adding them to the local administrators group? Wouldn't it be nice to not have run on sentences?
So good news for you. There is a way to manage the local administrator groups on local machines with GPO Preferences. What is really COOL here is that you do not need a Windows 2008 or a 2008 R2 domain controller. YES, you can do this in a Windows 2003 forest/domain with no Windows 2008 or 2008 R2 domain controllers. Ah, but I have a mix of XP and Windows 7 clients, you say. This works from XP SP2 (not supported) and up.
It takes a few steps to setup, but it gives granular control to give a specific user, users, or groups administrative rights to a specific computer. The following is the framework needed to accomplish this task.
Here are three GPO choices to manage local administrative access:
So with all that up front, let's sort of start over and redefine the problem and solution.
Provide consistent set of support engineers local administrative rights and also on request, temporarily (or long term), grant specific user or groups local administrative rights. Without impacting all machines under the policy.
Group Policy Preferences. Computer Configuration/Control Panel Settings/Local Users and Groups and add two new settings.
This policy above is shown completed after the two steps below.
Step 1: Define standard local admins that should be on the workstations. This is the same as the restricted group you are familiar with. To get the dialog box below create a new policy and navigate to the “Local Users and Groups” under the Preferences settings for Computer Configuration. Then in the window to the right, Right Click and choose New: Local Group and complete as shown below. Take note of the two check boxes, we will be doing something different for the next step.
This list of Members are the members that should always have local admin rights. Note both Delete All check boxes are checked. This makes it work like the restricted groups that you are used to. So to add the flexibility of adding a single user to the local admin you need to add the second group which is the dialog box below.
Step 2: Add a specific domain group to the local admins.
Same steps as above with in the same policy add another group. Note the "Delete all…" check boxes are not checked.
This above MEMBER is “%DomainName%\%ComputerName - Administrators” Without the quotes. This is a global group (could be domain local) but that group does not need to exist unless you want to grant additional users admin rights. If it does not exist then the policy will ignore it. If the group exists then those in the group are added to the local admins. Using Environment Variables %ComputerName% gives you the granular control you need. Want a list of available environment variables? After clicking the Add button press F3 to see a list of available environment variables.
It is important the order of adding the two "local group" settings. If you reverse them, then the result will only be the members of the setting that has the "delete all…" boxes checked since it would be the last one processed.
Once this is setup let’s say a user named Joe User needs "Administrative" access to his local computer named LTCincy001. The steps to grant him admin rights are to create a group in AD named “LTCcncy001 - Administrators” and put Joe User in it. That’s it. A GPO refresh will add him to the local administrators without impacting the other computer local administrator group memberships. GPupdate /force will do the trick.
So you could pre-create all, some, or none of these groups with no members and delegate permissions to manage the group membership if you want to control it that way. There are many possibilities.
Hopefully, this gets some of your creative minds thinking and make you want to dive into group policy preferences a little deeper.