Hey everyone! I'm trying to find a way to allow users from certain groups in my Active Directory to have local admin rights on their PCs. Currently, I'm using Group Policy Objects (GPO) with restricted groups, but this sets AdminCount=1 for these users, which messes up Self-Service Password Reset (SSPR) since it doesn't work for protected users. I'm stumped — any advice on how I can achieve this without running into these issues?
3 Answers
Yes, that’s a fantastic solution! I'm glad you found it helpful! Let me know if you run into any more speed bumps while testing it next week. Enjoy your long weekend!
Just a quick note — when you set the members to YOURDOMAINLA_%computername%, it essentially tells the specific computer to add its corresponding LA group to the local admins. So for instance, "workstation4" adds the group "LA_workstation4" to the local admin list. Definitely try this out!
It sounds like you're encountering the AdminCount issue because of how your existing GPO is configured with groups. You might want to create a new group called "ManagedLocalAdmin" and then set up individual groups for each computer, like "LA_computer1," "LA_computer2," etc. Then, add the relevant local admin users to these respective groups.
This way, you can create a new workstation GPO called "ManageLocalGroups" and set it up under Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. You will add a new group under Local Group with actions set to 'Update', targeting the Administrators group with the members set to YOURDOMAINLA_%computername%.
Also, don’t forget to enable item-level targeting and select your "ManagedLocalAdmin" group. This will ensure that any machine in that group adds the local admins automatically. Just remember to run gpupdate and do a restart afterward! Good luck!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures