...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory
Group Policy

Adding Servers to Admin groups automatically

Monday, July 08, 2013 in Active Directory (Views: 2933)
This can go into so many categories, but one common pitfall most admins face (in this case SCCM) is that computer accounts need to be in Administrator groups. If you have several, the wise thing to do is to add them to an AD group and add said group to the local administrators group.

But, in a large enterprise, what if you have to wait on others? Well, wait no longer, here is an easy way to take care of this at the AD level, not at the local system level.

This, of course, assumes you have a "SCCM Site Servers" AD group, or something similar. If not, create it first.

Simply do this:
1. Create a group policy (or edit an existing for the SCCM site servers)
2. Create a group policy preference (why this can go in an existing policy)
- Preference contains the following Computer Setting: Preferences\Control Panel Settings\Local Users and Groups
- Set the Administrators group to "Update" and add the "SCCM Site Servers" AD group to it.
- Scope (or "item level target") this setting only to computers in the SCCM Site Servers group.

What will then happen is when a server detects the group membership, it will then update itself with the proper group in Administrators automatically. No more waiting on someone else.

It's a trick I've used since it came out in AD in 2008, and has worked like a champ.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.