= A GPO to Make Everyone Local Administrator =

**Summary**: How to make a GPO to make every domain user a local administrator. \\
**Date**: Around 2009 \\
**Refactor**: 6 March 2025: Checked links and formatting. \\
{{tag>gpo ad windows}}

This is how to make a GPO to make every domain user a local administrator. Please remember that this is not best practice and you should have a really good reason to do this.

== AD Users and Computers ==

Creating the GPO can be done in a couple of ways. I take the easy way, with the Active Directory Users and Computers Console. Select or create the OU where you want the policy to be effective in and select the properties: \\
[{{adusersandcomputers1.jpg}}] \\
In the new windows select Group Policies and create a new one. Give the new GPO a name that's descriptive of it's function. Then select edit: \\
[{{adusersandcomputers2.jpg}}] \\
Go to "Computer Configuration" -> "Windows Settings" -> "Restricted Groups" and right click it, to select "Add Group": \\
[{{adusersandcomputers3.jpg}}] \\
Type the name of the group you want to ''give'' local administrator rights to the computers beneath the OU: \\
[{{adusersandcomputers4.jpg}}] \\
In the new window, add "Administrators" to the "This group is a member of": \\
[{{adusersandcomputers5.jpg}}] \\

Save your settings and you're done.

== Refresh GPO ==

Remember that group policies can take a while before they are applied. They are refreshed and computer and user settings are applied in the following instances:
* When a user logs on
* When gpupdate is run at the client computer
* At the refresh interval, if one is configured at that computer
  * By default:
    * Domain controllers are refreshed every five minutes
    * All other computers are refreshed every 90 minutes, with a random factor of up plus or minus 30 minutes (the offset interval)
You can change these settings using gpedit.msc, start it up and go to "Computer Configuration" -> "Administrative Templates" -> "System" -> "Group Policy": \\
[{{gpedit.jpg}}] \\

== Refresh GPO remote ==

There are no ways to do a remote GPO refresh using Windows tools only. There are however several tool which will let you do this. This describes using [[http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx |psexec.exe]], a lightweight telnet substitute that can be used to launch processes on remote Windows computers. It's originally from [[http://technet.microsoft.com/en-us/sysinternals/default.aspx |Sysinternals]].

Once you've downloaded psexec, open a command prompt and type
<code>
psexec \\computer cmd
</code>
where computer is the name or IP address of the remote desktop computer you are targeting. Once you've done this, you're looking at an interactive command prompt on the remote computer, and any command (like gpupdate /force) you now type will be executed on the remote machine instead of the local one. Of course, this can also be done on several computers automatically, when you use a computerlist:
<code>
Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:User /force
Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:Computer /force
</code>