wiki.getshifting.com

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools

Trace: A GPO to Make Everyone Local Administrator
localadministratorgpo

Table of Contents

A GPO to Make Everyone Local Administrator

Summary: How to make a GPO to make every domain user a local administrator.
Date: Around 2009
Refactor: 6 March 2025: Checked links and formatting.

, ,

This is how to make a GPO to make every domain user a local administrator. Please remember that this is not best practice and you should have a really good reason to do this.

AD Users and Computers

Creating the GPO can be done in a couple of ways. I take the easy way, with the Active Directory Users and Computers Console. Select or create the OU where you want the policy to be effective in and select the properties:

adusersandcomputers1.jpg


In the new windows select Group Policies and create a new one. Give the new GPO a name that's descriptive of it's function. Then select edit:

adusersandcomputers2.jpg


Go to “Computer Configuration” → “Windows Settings” → “Restricted Groups” and right click it, to select “Add Group”:

adusersandcomputers3.jpg


Type the name of the group you want to give local administrator rights to the computers beneath the OU:

adusersandcomputers4.jpg


In the new window, add “Administrators” to the “This group is a member of”:

adusersandcomputers5.jpg


Save your settings and you're done.

Refresh GPO

Remember that group policies can take a while before they are applied. They are refreshed and computer and user settings are applied in the following instances:

  • When a user logs on
  • When gpupdate is run at the client computer
  • At the refresh interval, if one is configured at that computer
    • By default:
      • Domain controllers are refreshed every five minutes
      • All other computers are refreshed every 90 minutes, with a random factor of up plus or minus 30 minutes (the offset interval)

You can change these settings using gpedit.msc, start it up and go to “Computer Configuration” → “Administrative Templates” → “System” → “Group Policy”:

gpedit.jpg


Refresh GPO remote

There are no ways to do a remote GPO refresh using Windows tools only. There are however several tool which will let you do this. This describes using psexec.exe, a lightweight telnet substitute that can be used to launch processes on remote Windows computers. It's originally from Sysinternals.

Once you've downloaded psexec, open a command prompt and type 

psexec \\computer cmd

where computer is the name or IP address of the remote desktop computer you are targeting. Once you've done this, you're looking at an interactive command prompt on the remote computer, and any command (like gpupdate /force) you now type will be executed on the remote machine instead of the local one. Of course, this can also be done on several computers automatically, when you use a computerlist: 

Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:User /force
Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:Computer /force
localadministratorgpo.txt · Last modified: by 127.0.0.1