Controlling Local Group Membership Via GPO

Often, it is desired to modify the memberships of local computer's built-in groups automatically. This can be done via a Group Policy Object (GPO) that is created and linked to the Organizational Unit (OU) that contains the computer objects.

This GPO can

1. Point to computer startup script(s) that will check and update which users or groups are members of the machine’s local groups
   • More flexible (but may slow machine startup)
   • Runs at the next reboot.
2. Use "Restricted Groups" policies.
   • Simpler to configure.
   • Changes take effect at next GP refresh (usually every day or at reboot)

For Example:

During the process to join a Windows computer to a domain, the group “Domain Admins” is added to the local machine's Administrators group. For systems administrators that are not Domain Admins, they are not granted local admin access by this action. This can be changed by one of the methods above

Scripts

Scripts currently available (in the SU domain)

• AddAdmin.vbs will add additional accounts to the local administrators group
• RemoveDomAdmin.vbs will remove "SU\Domain Admins" from the local "Administrators" group
• AddUser.vbs will add accounts to the local "Users" group
• RemoveDefaultUsers.vbs will remove "SU\Domain Users", Authenticated Users, and INTERACTIVE from the "Users" group.

To use scripts:

• Open Active Directory Users and Computers.
• Browse to the OU that will contain the computer account objects
• Open "Properties"
• Select the Group Policy Tab
• Create a new Group Policy Object
• Edit the new object
• In the Group Policy MMC, browse to:
  • Computer Configuration/Windows Settings/Scripts
• Click "Startup"
• Indicate the script that you wish to add:
• Enter \\su.win.stanford.edu\Netlogon\<scriptname>
• Or Browse - In SU, the scripts are in the folder:
  My Network Places\Entire Network\SysVol on Entire Network\su.win.stanford.edu\scripts
• For the "Add" scripts, specify groups or users to add in the Script parameters dialog
• Example "SU\su.rwilper SU\ITSS.admin"
• Multiple users or groups can be added, separate with a <space>
• Note: This means that groups that have a <space> in the name will not be parsed correctly. Tests show that quotes around a group name get removed in the GPO

Using scripts for the above example:

AddAdmin.vbs would be linked in a GPO with parameters set to a group created for an organization's local administrators for machines .

Note: Some of the scripts need modification before they are run in another domain (see SU for example).

Feel free to create more scripts using these examples. If you create a new script that would assist others, please submit them for inclusion into this set.

Restricted Groups

• Open Active Directory Users and Computers.
• Browse to the OU that will contain the computer account objects
• Open "Properties"
• Select the Group Policy Tab
• Create a new Group Policy Object
• Edit the new object
• In the Group Policy MMC, browse to:
  • Computer Configuration/Windows Settings/Security Settings/Restricted Groups
• Right-Click and choose "Add Group"
• The group name you enter will be the group that is restricted (Administrators)
• Select the group and choose the allowed members.

Using Restricted Groups for the above example:

Specify "Administrator", and your administration group to the Administrators restricted group settings

Note: If you have renamed the administrator account, use the new name or the local built-in admin will be removed (as the names don't match)

Note: This only works properly if all built-in administrator accounts of the machines in the OU have the same username. (You can use the administrator account rename feature in the GPO to make them all rename to the same value)

Script contents:

Created: December 1, 2003 by Ross Wilper Last modified: January 05, 2006 by Ross Wilper ©2006 Trustees of the Leland Stanford Junior University