Share via

Create a active directory group and add it to local administrators group for each server

LULU-6701 341 Reputation points
2022-03-13T19:29:55.677+00:00

Hi

We would like to a create a active directory group for each server , and avoid local administrators to add users (local or from active directory) to be member of local administrator group.
We would like control the list of the member of local administrators in each windows server.

Any idea please ?

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other
0 comments
Accepted answer
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2022-03-13T19:37:23.327+00:00

    Hi,

    You can create a group for each server using the following command: 

    Get-ADComputer -Server contoso.com -Filter {(Enabled -eq $true) -and (OperatingSystem -like '*Server*')} | Foreach{ New-ADGroup -Name "$($_.Name)_Administrators" -SamAccountName "$($_.Name)_Administrators" -Description "Administrator Access for $($_.Name)" -Path "OU=Groups -SVRAccess,OU=Role Based Access,OU=Groups,DC=contoso,DC=com" -GroupCategory Security -GroupScope DomainLocal }

    You can create a schedule task if you want create this group automatically for new joined server.

    Then you can use group policy preference to add this group on each server:

    182545-image.png

    On the setting above , you can also delete all users and groups and let only allowed groups.

    To get more details you can refer to the following link :

    Using Group Policy Preferences to Manage the Local Administrator Group

    Please don't forget to mark helpful reply as answer

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.