Thursday, September 10, 2015

How to - Adding AD Group to local computer Group using Group Policy

Last month I had written article on how to copy files on computers using Group Policy. This time I will be showing how to add AD Group in local machines Group, Same process can be used to create new local group. This can help to bring servers and computers in compliance. At this point I Have create one Group in AD called System Server_Administrators and I will be add this AD group vCloud.lab\server_Administrators to local machines Administrators group.

As a start below is the summary, In my Active Directory Users and Computers console I created OU called vCloud.lab and all my Computer accounts are in it under Computers OU. With correct step you can achieve great automation through Group Policy.
Here open Group Policy Management console from search or Administrative tools from Control Panel. Next collapse Group Policy Management >> Forest:DomainName(vCloud.lab) >> Domains >> DomainName(vCloud.lab) >> Group Policy Objects. Right click GPO (Group Policy Objects), and create a new policy. It is always best practive to have new policy for new setting instead of doing all the settings in one policy and also for any new policy create it under Group Policy Objects and link it later once your configuration is done.
Give policy some name, mine is Local_Administrators (Always use some good naming convention which I can understand afterwords). And click ok.
Now right click new created Local_Administrators policy. Edit it. To configure it,
Now collapse Computer Configuration Node >> Policies >> Windows Settings >> Security Settings >> Restricted Groups. Right click and Open Group. This will open another pop up window.
Here browse and add the Group which you want to add to Local machine Group. I have already created a group Server_Administrators in AD
Once the Group name vcloud\Server_Administrators is reflected in Group box, click OK for next.
Once you click ok this window will be closed, this group policy is created and it will be shown in right pane of Restricted Groups, here you have two options,

Members of this group: Use this option when you want create local group on machines. (as above step instead of browsing you can type some name for Group, it will be created on client machines) This group is member of: We are going to use this option as we want to add this AD Group to local machines Administrators. Click add button type Administrators, (Do not browse).
As per below screenshot AD Group Server_Administrators will be member of local Administrators group. Click OK button.
If everything is good as per below screenshot you should see Group name and Member of as expected. And close this GPO by clicking cross button, without this Group policy changes are not saved. (Many times I forgot this step while testing :))

Next is linking Local_Administrators GPO to OU where your computer accounts are residing, Mine are residing under vCloud.lab >> Computers. Right click Computers OU, Click Link an Existing GPO.
Select Local_Administrators GPO from the list. And click OK. This was the final configuration step on the Group Policy server.
When you see Computer OU, it will show Local_Administrators GPO as linked (shortcut icon), and also under Linked Group Policy Objects tab. Server side configuration is done now. It’s time to check on member machines.

On member computer servers (Client001 part of Computers OU), we need to verify whether changes has been applied, start run and open compmgmt.msc.

It opens Computer Management, Collapse System Tools. Go to groups under Local Users and Groups. And double click or go to properties of Administrators account.

If you check it, you won’t find group added, because it will take at least 90 mins to apply changes, This is the point where we have create GPO, linked it to OU but computers are not aware of it.

Instead of waiting for next cycle we can get policies applied immediately, for the same run “gpupdate /force” or reboot the server, Next generate the report what changes has been applied from group policy by running command “gpresult /h report.html”. You must be running cmd run as administrator to pull computer node configuration. Open report by executing command “start report.html”, It will open the web page
In this web page you can verify computer account, Group policy which has been applied, and under Computer configuration node, Restricted Groups is applied successfully. It shows everything what is failed and what is successfully applied.
Finally check Administrators properties again and hopefully you can see AD Group is added to local Group. And your PC is compliant now.

1 comment:

cionsystems said...

Thanks for sharing Active Directory Group Policy Management tips. for more info i rfer cion systems Active Directory Group Policy Management in USA.