GPO and local Administrator group

It’s common to use a Group policy preference to push a AD group to local admin group on a server or client.
But something that you might not know is that you can use a variable in the group name to make it a bit more dynamic. With this setup you only need to create the GPO and one AD group per server. No need to logon or use a Powershell script to target each server and and add a group in to det local Administrators group.

First create an empty GPO and link it to an OU containing your servers you want to target.

Then edit your new GPO and go to Computer configuration -> Preferences -> Local Users and Groups and right click on the white area to the right and select New -> Local Group

Set action to update and Administrators (built-in) as group name. Then press Add… under members.

As a member name add your desired group name for server admin groups and end it with the variable %computername%. In my lab environment the group name is homelab\SeverLocalAdmin-%computername%. My AD domain is called homelab.

Next part is to create a AD group following your naming convention and add the computer name at the end. My server I want to test this on is called SQL2016 so the group name is ServerLocalAdmin-SQL2016.

Next step is to verify the result of the GPO. First log in on your server and then run gpupdate /force.

Open Computer Management to verify the members in the local admin group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.