Wednesday, December 12, 2012

AD 2008R2 - GPO for Adding a Security Group to Local Administrators

There are times where you will have a default security group which needs access to all the servers in a particular domain or an organizational unit. In AD 2008R2 you can create a group policy that will automatically deploy this security group to all the servers or computers in a particular group.

Create a Security Group:
The first thing we need is to create a new Security Group to assign to the GPO. In Active Directory Users and Computers Right Click in the organizational unit where you want to create this new security group and Click New and then Group from the flyout. Lets call this group Server Admins. This group should be a Global Security Group.
Once the group is created Double Click on it and go to the Members Tab. Go ahead and add the users that you would like to be in this group and Click OK
Create a GPO:
Now that we have our Security Group ready lets create the GPO. Open Group Policy Management and drill down to the domain you would like to create this GPO in and expand Group Policy Objects. In the active window Right Click and select New. Lets call this GPO Local Administrator. Click OK and you should see the new GPO you just created.
Modify The GPO:
In the navigation tree Right Click on your newly created GPO and select Edit. In the Group Policy Management Editor drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. In the active field Right Click and select Add Group. You can Click Browse to locate the security group you just created and Click OK

You will be prompted to apply properties to this group. Under This group is a member of: Click Add and Click Browse. Add Administrators and Remote Desktop Users. Click OK
*Gotcha - If you change Members of this group: you will overwrite the users you added to the group in the Create a Security Group step above.

*Note -The group selection is dynamic. If you add a group called Butterfly, the security group will be added to any server that has a local group called Butterfly

You will see the new security group added to the GPO and the group memberships as well.

Apply & Test the GPO:
Next we need to apply the GPO to the OU that that has the computers which will receive it.

*Caution - You should test all GPO's in a lab environment or on a Test OU BEFORE applying them to the live production environment to ensure you will achieve the desired outcome.

In the navigation tree simply drag the Local Administrator GPO to the computer group you want it to be applied to. You will be prompted to link the GPO to the OU. Click OK

The final step is to test the GPO. Log into a machine that is in the OU you applied the GPO to and open a command prompt. Run the following:
gpupdate /force
Go into Administrators under Local Users and Groups and you should see the newly created Security group.

More to come!

If you like this blog give it a g+1

No comments:

Post a Comment