This GPO will add a domain account as a local admin on all workstations.
First you need to create a security group called Local Admin: Log onto a Domain Controller, open Active Directory Users and Computers (
dsa.msc) Create a security Group name it Local Admin. From Menu Select Action => New => Group => Name the group as Local Admin. Add the members to Local Admin group. I will add two users say Tom and Bob.
Next you need to create a group policy called “Local Admin GPO”: Open Group Policy Management Console (
gpmc.msc) Right click on Group Policy Objects => select New => Type the name of the policy “Local Admin GPO”
- Configure the policy to add the “Local Admin” group as Administrators: Here you will add the Local Admin group to the Local Admin GPO policy and put them in the groups you wish them to use. Right click “Local Admin GPO” Policy then select Edit.
Computer configuration\Policies\Windows Settings\Security Settings\Restricted GroupsIn the Left pane on Restricted Groups, Right Click and select “Add Group”
- In the Add Group dialog box, select browse and type Local Admin and then click “Check Names”
- Click OK twice to close the dialog box.
- Click Add under “This group is a member of:” Add the “Administrators” Group. Add “Remote Desktop Users” Click OK twice.
- NOTE: It is important to NOT touch the “Members of this group” field as that will allow ONLY those you select and remove anything else. We are adding to, not taking away!
Linking GPO In Group policy management console: Right click on the domain or the OU and select Link an Existing GPO => Select the Local Admin GPO
- Testing GPOs: Log on to a PC which is join to the domain and then run
gpupdate /forceand check the local administrators group. You should see Local Admin in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Tom and Bob domain users can now access all PCs remotely as a local administrator.