Use GPO to set user as a local administrator on a single computer.

This is a revision of a previous post I did. In this version there are fewer steps that need to be performed in the policy. The key here is Item Level targeting, it allows you to apply policies to specific targets in your Active Directory. In this case the target would be a specific computer.

Open up your group policy managment console. Via the run command if you’re on the server, gpmc.msc. I run my policy manager from a Win 7 desktop on the domain, for this you need to install and setup the Remote Server Administration Tools, and run them with Domain Admin credentials. Once you have this open navigate down through your forest and domain to the right organizational unit (ou) where your new admin policy will sit. Generally you want to apply this in the computer OU, as the policy will be affecting desktops on your domain.

Right click on the OU and select “Create a GPO in this domain, and Link it here…“. Give the new Group Policy Object a new name and click OK. Now right click the new GPO and select “Edit…“, this will bring up the GPO editor.


Since this policy applies to a specific computer we will select the Computer Configuration, Preferences, Control Panel Settings, and Local Users and Groups. On the right pane of this option right click and select New, Local Group. In the properties of this for Action: select Update. Group name: will be Administrators (built-in), this is the local Administrators group on all PCs. Rename to: renames the Administrators group on the target PC. Description: is just a description you might want to put in here “Administrators for computer X”. Next click Add under the Members: pane. This will bring up the Local Group Member prompt. In the Name: field type in %DomainName%\userid , where the userid is a specific logon ID and in my case tuser or my domain Test User account. %DomainName% is a variable and in this case it is the domain that the GPO resides in. If you want to see all the available variables hit F3 in the Name: field.

Click OK on the Local Group Member prompt.


Now click the Common tab in the New Local Group Properties window. Here is where we target which computer that this policy will be applied to. On the Common tab check off Item-level targeting and click the Targeting… button.


In the target editor on the top left select New Item and Computer Name. the NetBIOS computer name is should appear. In the pane below click the “” button, here is where you select the computer this policy will apply to. Type in a computer name and click Check Names, it should underline the computer name if found correctly.




Click OK, OK, and OK. Congratulations you have successfully assigned a user to the local administrator group on a single computer on the domain.


You can also rename this to reflect more closely what the Action does. Highlight it and press F2, then rename.



Go ahead, close the Group Policy Management Editor, you’re done.

NOTE: If you want to add a single user on the network as an Administrator on all the network computers your best bet for Item Level targeting is to create a Security Group and make all Domain computers members of this group. One you’ve done that use Item Level targeting and target this said group.


Microsoft does not understand it’s audience anymore.

Gamer’s a fickle bunch, strike that PC Gamer’s are a fickle bunch. Add to that a dash of Xbox One and a pinch of Windows 8.1 and you have yourself a perfect recipe for disaster.

Perhaps I’m exaggerating a bit, a behemoth like Microsoft would be and is really hard to take down. You have to give them credit where credit is due if anything but they are persistent.

Let’s look at windows 8 for a second, when it came out there was an outcry about the Start button. I think the cries where a little muffled by the time they got to Redmond though. I don’t think it was as much as the lack of a start button but more of the lack of desktop and the fact that the start menu would take up the entire screen. This lead to the slow adoption of the operating system. Don’t get me wrong, for tablet and a touch interface windows 8 is great, and that OS is very deserving of the form factor.

Queue Windows 8.1, I hopped on MSDN and I grabbed the early version available to subscribers. I grabbed the ISO and installed the OS via flash drive. After install I changed a few settings and rebooted. Awesome, it now boots into the desktop environment, start button is there but as soon as you press it, BAM! full screen persistent start menu. What we have now is desktop/tablet hybrid OS. I was so disappointed that I could not change the size of the menu, and that it eats up all my screen real estate, that it prevented me migrating from Windows 7 to 8. I feel like the start menu is way too intrusive in the desktop environment, and yes it is has more customization, but it is not the start menu I like and find convenient. It’s supposed to be a sub menu for the OS not a fully fledged application like interface. I guess the only option left for users of Win 7 that wish to migrate to Win 8 is Start8. As a gamer and heavy desktop user, this irks me a little.

This brings me to Xbox One, when I watched the unveiling I was slightly impressed with the features. However I noticed two things. One the lack of hardware specifications, and two the complete lack of game focus. Instead MS decided to focus on the media capabilities of the device what it can do for sports, and Television, etc. I thought to myself I’m a gamer, I don’t watch sports I only play them. I don’t even have cable television let alone any television subscription except for Netflix. No longer is the Xbox a gamecentric device. I get this, it is supposed to appeal to the whole family not just the gamer in the house, but what if the gamer in the house is the whole family? Either way it looks like an interesting multimedia device, if it is able to play MKVs it would be a winner in my living room for sure.

At the moment all the media is giving MS flack for not having as good hardware specs as the competition, saying it’s 50% less powerful than the rival. I kind of laugh at this because as someone with a Computer Engineering background I know that hardware specs don’t necessarily mean better experience or performance. Prior to the 360 being released 7 or 8 years ago I worked for a company that designed the testing hardware, we worked closely with Microsoft and the drivers for the 360 weren’t finished until a week prior to it being released. Not only that, but driver optimization is a powerful thing, and if Microsoft knows something it is software, perhaps not their audience but definitively software.

Look at Nvidia and AMD they optimize their GPU drivers heavily sometimes yielding 33% performance gains and that’s in an open system such as a PC, imagine the optimization that can take place in a closed system such as an Xbox One. So all the naysayers are probably still working with Alpha drivers complaining about performance, let’s see what November 22nd brings. Either way someone from MS should step out and say something to that effect, because all the dirty console peasants are up in a roar pitchforks and shovels in hand.

Use GPO to add a single admin user to only one computer on the domain.

UPDATE: This post has some great ideas, however if you’d like an easier way to accomplish this with Item-level targeting navigate to this new post.

This post I’m going to detour from the usual Home Theatre write up. I still have more Home Theatre to go through, however I though I would give this topic a little attention. So recently I embarked on locking down my companies computer systems and what better way to do it with than Group Policy. Well I ran into a little problem when I tried to assign a single user as a local administrator on a single domain computer, it seemed impossible to accomplish with Restricted Groups as they encompass the entire OU no one single computer.

I searched the dark recesses of the internet and I thought I had found a link on social.technet, but as it turned out this did not allow me to do all the work remotely and I had to add additional groups to the computers. Then further looking over what Alan Burchill wrote I concluded that with his implication of the policy local administrators would be able to add other network users as local administrators, this did not work for me. I want to rule with an Iron Fist!!!

Either way what Allan had set out for me in black and white was a very good start and it really helped . Some of the comments in the post also shone some light on the behaviour of the Policy. You can find Allan’s blog post in regards to this here:

What’s nice about this method is that it will also clean up your policy each time it gets updated or anyone logs on to the computers in the OU. So if anyone adds another admin user to the group they will be removed. Also if you have some old administrators on PCs that were added manually in the past and have since left this will remove them.

Well let’s get on with it then, shall we.

My environment consists of Server 2008 R2 and Windows 7 machines.

I run my policy editor on my local machine, however I recommend you run it off your server since you can run gpupdate /force from there as it propagates faster this way.

1. Start the policy editor  on your server by going to Start > Run > gpmc.msc

Create a new policy under the OU in which you have your domain computers.

12. Edit the policy and navigate to Local Users and Groups, Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.

3. Right click in the right pane of the window and select New > Local Group, you will be prompted with a New Local Group Policy window.

4. The Action heading should be set to Update,  from the Group name drop down list select “Administrators (built-in)”, check off  “Delete all member users” and “Delete all member groups”. Only use these options on the first Order policy as these are the options used to clear any previously assigned users and groups to the Local Administrators group.

25. Next we will add a single member to this new Local Admin policy. Click Add and you will be prompted with Local Group Member window, in the Name: section type in “BuiltIn\Administrator” this adds the Administrator account present on all machines to the Administrators group. For Action: select Add to this group.

6. Your Local Group Properties window should look like the following image. If yours looks the same go ahead and click OK.


7. This will take you back to the Group Policy Management Editor and you will have one policy with Order 1. The order is the order in which these policies get applied in. Since we’ll be adding more policies you may want to rename this policy in the Editor to something more descriptive like “Built in Local Admin”, highlight the policy and press F2 to do so.


In Allan’s blog he groups  the assignment of the Built in Admin account and Domain Administrators group in one Local Group. What I have found to be the case is that if you have more than one member that is to be added to the Local Group and one of these members does not exists or the spelling is incorrect the Local Group policy will stop processing as soon as it encounters and error and refrain from processing any further Member assignments. As a good practice try and assign one member per Order.

8. Let’s create a new policy. This time we will add the Domain Admins group as Administrators to all the OU computers. Follow steps 3 & 4 again, with one exception, do not check off  “Delete all member users” and “Delete all member groups” leave these unchecked otherwise when this policy is processed it will remove the previous members from policy Order 1  (Built in Local Admin).

9. When adding the member as in step 5, click in the Name: field and hit F3. You will be prompted with a Select a Variable window, select “DomainName” and make sure Resolve Variable is checked off then proceed and click Select. This will populate the Name field in the Group Member window add “\Domain Admins” to this so you have “%DomainName%\Domain Admins” in the Name field and click OK.


Your new policy should look something like the following image. You may not have a Domain Admins group on your domain, and if that is the case substitute the name of the group to the one that matches up with your domain administrators group. Now you should have two groups, go ahead and rename the second one as well. I renamed mine to Domain Admins.


10. In my 3rd order policy, since by default all local Administrator accounts are disabled, I ended up adding a local user account named “User” to all computers in the OU. Right click and select New User. It’s very similar to creating a new user on the domain.


11. In my 4th order policy I assign the User account to the Administrators (built-in) group. The only difference between this step and step 9 is instead of using the %DomainName% variable I’m using the %ComputerName% variable. Also to note you don’t need to hit F3 to select the variable you can type the information in manually ie. “%ComputerName%\User”. It should look like the following image. Click ok and rename the policy.


12. Now this is where the magic happens and we create an individualized local admin policy for a single computer. Before we create the policy we need to rename the Administrator group on each computer to something unique, after pondering this for a while I came up with the following solution. Create a new Local Group policy. Action: Update, Group Name: Administrators (built-in), Rename to: %ComputerName%.ADMIN. Do not Add any members leave this portion blank and click OK. Rename the policy if you would like.


The key here is the %ComputerName%.ADMIN, each computer will rename the Administrators group locally to something unique to that computer in this case it will use it’s name. For example a computer named DMCL-00203 will rename the local admin group to DMCL-00203.ADMIN. As seen below.


Once you have this in place you are able to add individual local administrators by creating new Local Group policies with higher orders than the policy which renames the local admin group.

13. To add a local administrator to computer DMCL-00203 create a new Local Group policy, Action: Update, Group name: DMCL-00203.ADMIN add a member using %DomainName%\UserId, UserID being a valid domain account.


You can add more member accounts to this policy just know that if it errors out or the account is invalid there is a possibility that the policy will not be applied to the computer. That is it, now you should have 6 policies in place depending on how many computers need local admin users. The order of the policies are important, for example you can not assign a local user to the admin group in order 6 if the user account gets created in order 7. Keep this in mind when designing your policy.


IMPORTANT UPDATE: So it seems the Active Directory likes to show all the computer admin groups created with in the policy on one single computer (see below). However that does not mean that the users in these groups have admin access to all computers on the network, having tested this they only have access to the computer they are assigned to. This is purely aesthetic.

adminoooIn order to avoid this purely asthetic replication to other computers except the target machine use “Item-Level Targeting”, it is available under the common tab. So at the end of step 13. click the common tab, and check item level targeting and click the Targeting button. Then in the Targeting Editor select New Item and Computer Name, then Type in the computer name or look it up in the Domain using the … button.

14 15