How to manage local administrators group Centralized on all systems

Question

Dear Experts,

I need your expert opinion that How to manage local administrator Account Centralized from Domain via group policy, currently we're managing local admin account using restricted group via group policy but we have a lot of OU's and a lot of policies are deployed for superbly managing 1 local admin 1 site.
I've go through from below links but these also not seem helpful.

Basically I want to manage local admin via only one single Group policy, I want to apply only one policy to root container / OU and everyone should get rights to specifically on his OU. Please suggest.

I have an idea of LAPS too.
https://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223

Answer 1

Hello,

Thank you so much for posting here.

The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. For more information, we could refer to: https://www.microsoft.com/en-us/download/details.aspx?id=46899&Search=true

As per my understanding, we would like to manage local admin accounts centralized. If so, we will put all the clients and machines into a OU and then manage the local admin account using restricted group via Group Policy. Then the policy will be applied to all the clients and machines within the OU.

But as per our description, it seems that different clients and machines will have different local admin accounts management. If so, I think we might create different OU for the machines and then configure different GPOs.

Please let me know if there is any misunderstanding. For any question, please feel free to contact us.

Best regards,
Hannah Xiong