--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Would you like to sponsor this site?
Or buy me a beer?:

Recently Changed Pages:

View All Pages
View All Q Pages

View All Tags

Sign up for Q to post comments.

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Terms And Conditions for Q users

Pages with comments

2019/06/22 10:36 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 3 Comments
2017/04/20 15:28 1 Comment
2017/04/20 15:23 1 Comment
2017/04/19 14:44 1 Comment
2017/04/17 20:10 1 Comment
2017/04/17 20:07 1 Comment
2017/04/17 19:58 1 Comment
2017/04/17 19:52 1 Comment

View All Comments


Local Administrator GPO


This is how to make a GPO to make every domain user a local administrator. Please remember that this is not best practice and you should have a really good reason to do this. The reason I did it is that software developers need local administrator rights to compile software. There isn't much I can do about it. The only thing I can do is have a good imaging policy. They break it, I image it!

AD Users and Computers

Creating the GPO can be done in a couple of ways. I take the easy way, with the Active Directory Users and Computers Console. Select or create the OU where you want the policy to be effective in and select the properties:
In the new windows select Group Policies and create a new one. Give the new GPO a name that's descriptive of it's function. Then select edit:
Go to “Computer Configuration” → “Windows Settings” → “Restricted Groups” and right click it, to select “Add Group”:
Type the name of the group you want to give local administrator rights to the computers beneath the OU:
In the new window, add “Administrators” to the “This group is a member of”:

Save your settings and you're done.

Refresh GPO

Remember that group policies can take a while before they are applied. They are refreshed and computer and user settings are applied in the following instances:

  • When a user logs on
  • When gpupdate is run at the client computer
  • At the refresh interval, if one is configured at that computer
    • By default:
      • Domain controllers are refreshed every five minutes
      • All other computers are refreshed every 90 minutes, with a random factor of up plus or minus 30 minutes (the offset interval)

You can change these settings using gpedit.msc, start it up and go to “Computer Configuration” → “Administrative Templates” → “System” → “Group Policy”:

See this Microsoft knowledgebase article for more information on how to change these settings.

Refresh GPO remote

There are no ways to do a remote GPO refresh using Windows tools only. There are however several tool which will let you do this. This describes using psexec.exe, a lightweight telnet substitute that can be used to launch processes on remote Windows computers. It's originally from Sysinternals.

Once you've downloaded psexec, open a command prompt and type

psexec \\computer cmd 

where computer is the name or IP address of the remote desktop computer you are targeting. Once you've done this, you're looking at an interactive command prompt on the remote computer, and any command (like gpupdate /force) you now type will be executed on the remote machine instead of the local one. Of course, this can also be done on several computers automatically, when you use a computerlist:

Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:User /force
Psexec.exe -@ComputerList.txt Gpupdate.exe /Target:Computer /force 
You could leave a comment if you were logged in.
localadministratorgpo.txt · Last modified: 2013/04/20 15:03 by sjoerd