Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Adding active directory group to computer local administrator Group using Group Policy Object - Part 2

This is the second part of my earlier article Adding user to domain administrators from another cross domain - Part 1 where I setup cross domain trust and added cross domain user to AD administrators group for management purpose. After getting access over acquired company Active Directory domain controllers, I wanted to get access of few member Servers for management.

In the Active Directory users and computers I have created a group Server_Admins, with group scope Domain Local and Group type as usual default one Security, I have added a user to this group from another domain. 

Adding user to domain administrators from another cross domain - Part 1
Adding active directory group to computer local administrator Group using Group Policy Object - Part 2

Active Directory users and computers, Ou, new group creation, group scope domain local, global, universal, security, distribution, members from another domain, server admins.png

Next for better management purpose I have already a OU organizational unit where computer account object resides, I need administrator access on these computers.

active directory users and computers domain computer account object separate ou organization unit for group policy management

Open Group Policy Management tool. Expand Forest > Domains > Group Policy Objects, right click, and press New.

Group Policy management, GPO, Group Policy objects, create new gpo for local administrators group management

This creates a New GPO, I named it Administrator_From_Another_Domain.

New gpo creation, source starter GPO, administrator from another domain, group policy management on ou organization unit, active directory domain controller.png

Once press Ok button, it will be show in under Group Policy Objects, it is empty at the moment and there no settings in it.

Group policy management forest, domains, group policy object, gpo, default domain policy, edit gpo, administrator from another domain.png

GPO will open in Group policy management editor, Expand Computer Configuration > Policies > Windows Settings > Security Settings > Right click Restricted Groups, Select Add Group, Browse for the group, Select the group created earlier, check names and click OK twice.

Group policy management editor, computer configuration, policies, windows settings, Security Settings, Restricted Groups, Gpo member of configuration, add group.png

There will be a new group name shown under Restricted Groups now, select the add button from this group is a member of. Browse the group membership, Select the Administrators name (This will represent as local computer group). 

group policy mangement editor, gpo Restricted groups, this group is a member of add configure membership of local group, from location enter the object, check names.png

This group policy object configuration is completed, close the Group policy management editor, which will save settings.

Group Policy management editor, server admin, this group is a member of administrators local group, how to properly use group policy restricted groups.png

New created GPO has the settings now. Right click the OU where it wants link, right click and press Link an Existing GPO, select the GPO from the list, and click OK.

Group policy management gpedit, how to link an existing gpo to ou, organizational unit, select GPO look in this domain group policy objects, gpedit.msc.png

Linking can be seen on OU, Configuration is completed.

Group policy management gpedit, how to link an existing gpo to ou, organizational unit, select GPO look in this domain group policy objects, gpedit.ms, linked gpo, computers.png

Generally it take 90 minutes, to reflect the settings on computers. I can verify the same in local users and group Administrators properties.

Add another domain users to Local administrators group properties gpo, group policy object, Administratiors have complete and unrestricted access to computer domain, .png

If you don't want to wait, you can reboot server to get the settings immediately, to avoid reboot instead run gpupdate /force command on command prompt (Make sure you open CMD as administrator to apply computer policy).

group object management command prompt, cmd, gpupdate force, updating policy, user and computer update completed succesfully, group policy editor.png

To verify policies are coming from group policy server I can verify the same using command gpresult /h report.html & start report.html. Policy is the winning on as per screenshot.

Group policy results html, computer configuration policies, window settings, security settings, restricted groups, winning gpo group , gpresut h start.png

Useful articles
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY 
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file

Go Back

Comment

Blog Search

Page Views

11271214

Follow me on Blogarama