GPO - Add groups to local administrators on servers that matches the servers name

Merte Sakker 1 Reputation point
2022-10-24T12:48:55.03+00:00

Hello
I'm trying to add groups to the Local Administrators on my servers via GPO.
I want to add specific groups to each server, all with one GPO.

Example:
I want the group "Exchangeserver1-LocalAdmin" to be added to Local Administrators of the server Exchangeserver1.
And then the same with exchangeserver2 and dcserver1 and appserver6, etc.

How do I do this?
Thanks

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,384 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Daisy Zhou 23,426 Reputation points Microsoft Vendor
    2022-11-03T05:37:43.83+00:00

    Hello MerteSakker-2385,

    Thank you for posting in our Q&A forum.

    Based on the description, I understand the servers you mentioned are in the domain, and the groups (such as Exchangeserver1-LocalAdmin) that matches these server names are in the also domain.

    I think you can do it via two methods.

    Method 1

    Create one OU for each server.
    Server1OU puts Server 1, create a GPO1 and link it to Server1OU, edit GPO1 with add server1-LocalAdmin to local Administrators.
    Server2OU puts Server 2, create a GPO2 and link it to Server2OU, edit GPO2 with add server2-LocalAdmin to local Administrators.
    Server3OU puts Server 3, create a GPO3 and link it to Server3OU, edit GPO3 with add server3-LocalAdmin to local Administrators.

    Method 2
    Create one OU for all the servers.
    ServerOU puts all the servers.
    Create one GPO for each server.

    Create GPO1 and link it to ServerOU, edit GPO1 with add server1-LocalAdmin to local Administrators (we can use Security Filtering to make GPO1 only apply to server1, that is make Authenticated Users only has Read permission, we should uncheck Apply Group Policy permission, and add server1 with Read permission and Apply Group Policy permission).

    Create GPO2 and link it to ServerOU, edit GPO2 with add server2-LocalAdmin to local Administrators (we can use Security Filtering to make GPO2 only apply to server2, that is make Authenticated Users only has Read permission, we should uncheck Apply Group Policy permission, and add server2 with Read permission and Apply Group Policy permission).
    .
    Create GPO3 and link it to ServerOU, edit GPO3 with add server3-LocalAdmin to local Administrators (we can use Security Filtering to make GPO3 only apply to server3, that is make Authenticated Users only has Read permission, we should uncheck Apply Group Policy permission, and add server3 with Read permission and Apply Group Policy permission).

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Gary Reynolds 9,416 Reputation points
    2022-11-03T07:15:18.223+00:00

    The other method is use GPO GPP group management to add a group to a local group, and if you set the group to be added based on a environment variable i.e. %computername%-localadmin when the policy is applied the environment variable will be resolved and add the corresponding group to the local group i.e. server1-localadmin

    The advantage to this method is the group will only be added if it exists in AD, so you can rollout the policy to all servers and you only need to create the groups as required.

    Gary.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.