Setting up local administrators

As I am building a small virtual network of machines for development purposes, I figured I might as well try to do things the right way instead of just running everything as Domain Administrator for the sake of convenience 🙂

Given that my main platform focus is Windows 10 / Server 2016 currently, I want to do as much as possible in a structured manner so I am setting up my AD structure. Tto keep things simple, I have an Organizational Unit (OU) for my user accounts, and one for the computers in my virtual network.

Much more structure would be relatively pointless for such a small environment, and conceptually it is not very different from the default Users and Computers container. Except, the default containers are just convenient visualizations in the domain root. It’s not possible to link Group Policies to them. You’d have to apply them to the Domain root.

And while that’s not a technical inconvenience, I prefer to have only things at the Domain root level that I want to apply to everything including Domain Controllers. Group Policy makes everything convenient and easy, including shooting yourself in the foot. And if you mess up the Domain Controllers, it will take your entire leg off. So I make an OU for users and one for computers in order to have better places to which to apply GPOs.

The first thing I want to configure is Local System Security. This is a generic title for everything in the category ‘I want to allow X to do Y, or enable Z’. The first order of business is configuring who gets to be an Administrator on the local machine. By default, that would be ‘Administrator’ and ‘Domain Administrators’. I want to add another group so that all group members get to be a Local Admin without having to be a Domain Admin, or without having to manually add individual users. Thankfully, Group Policy makes this trivial. I simply configure the following setting in my Local System Security GPO:

I add a restricted group called ‘Administrators’ which will map to the Administrators group on any computer to which this GPO is applied. And in it I add the 3 security principals I want to be a member.

Because this GPO is only applied to the Computers OU, the Domain Controllers are left out of scope.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s