Announcement

Collapse
No announcement yet.

Create Local Admin Account Through GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create Local Admin Account Through GPO

    I'm trying to push out a local admin account via GPO, but the option is blocked by MS due to security concerns.

    I came across this workaround:


    1) Create a local admin group in AD
    2) Add the needed users to the group
    3) Create a new group policy to push the policy
    4) Expand “Computer Configuration” -> “Policies” -> “Windows Settings “ -> “Security Settings” -> “Restricted Groups”
    5) In the “Add Groups” interface you add the group you created in steps 1 and 2 above
    6) Attach this policy to the computers OU


    However, I can't use a domain account since I'm going to use the it to perform a function across two domains (even though there's a trust between domains, the account used for the function must authenticate on both systems. creating a local admin account on each system with the same username/pass is the only way to get it to work).

    Is there a supported way to push out a local admin account via GPO?
    Attached Files

  • #2
    Re: Create Local Admin Account Through GPO

    Your list doesn't address this, so I'll ask: did you populate both the upper and lower panes in the Restricted Groups wizard? The top pane is where you add the local admins group you created, but the lower pane is where you tell GP what local PC group your named group is supposed to be added to. In your case, you should see 'Administrators' in the lower pane. If that pane is blank, your admins aren't added anywhere.

    There are separate Add & Remove buttons for each of those panes, as separate steps. The wizard doesn't warn you if the second one is empty.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Create Local Admin Account Through GPO

      That's not the way I have always understood (and taught) it (I am always open to correction, however)

      Adding to the top pane replaces current membership of the selected group with the ones you add

      Adding to the bottom pane adds the current group to the ones you add (but does not remove existing members

      So to replace existing local administrators with domain admins, open the Administrators group and add Domain Admins to the top pane

      To add domain admins to local administrators, keeping existing members, open Domain Admins and put Administrators in the bottom pane
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Create Local Admin Account Through GPO

        Originally posted by RicklesP View Post
        Your list doesn't address this, so I'll ask: did you populate both the upper and lower panes in the Restricted Groups wizard? The top pane is where you add the local admins group you created, but the lower pane is where you tell GP what local PC group your named group is supposed to be added to. In your case, you should see 'Administrators' in the lower pane. If that pane is blank, your admins aren't added anywhere.

        There are separate Add & Remove buttons for each of those panes, as separate steps. The wizard doesn't warn you if the second one is empty.
        I didn't modify anything in the restricted groups wizard because the work around I posted doesn't seem to do what I want (i.e., push out a local admin account with a specified password). It only adds domain accounts to the local admin group.

        I assumed I could push out a local admin account via GPO, but apparently that's not supported any longer.

        Any idea how to do this?

        Comment


        • #5
          Re: Create Local Admin Account Through GPO

          If you refer to the very helpful, but apparently unknown, site called you get a lot of options to create local accounts, then you can add to the appropriate group as above.

          https://www.google.co.uk/search?q=gp...oBw&gws_rd=ssl

          Using Group Policy Preferences is my preferred way
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Create Local Admin Account Through GPO

            Originally posted by Ossian View Post
            If you refer to the very helpful, but apparently unknown, site called you get a lot of options to create local accounts, then you can add to the appropriate group as above.

            https://www.google.co.uk/search?q=gp...oBw&gws_rd=ssl

            Using Group Policy Preferences is my preferred way
            Haha...I've Googled extensively, and the group policy preferences method has been disabled due to security concerns. The workaround I posted earlier was posted in the comments section of a a site that advocates that way. Maybe you're using an older version of AD/GP?

            I get the attached error when trying to create a user through Group Policy Preferences.

            As of now, I haven't been able to find a way to push out a local admin account with a specified password.

            The reason I need to push out a local admin account in the first place is simple. I need to run a script that copies files between 2 domains, but domain accounts don't authenticate on both systems. Running the script with a local admin account that exists on both systems with the same username/pass is the only way to get it to work.

            Maybe there's a workaround for that? There's a trust between the domains, but I don't know how to leverage that to use domain accounts instead.
            Attached Files

            Comment


            • #7
              Re: Create Local Admin Account Through GPO

              Sorry, my crystal ball must be failing again as I hadn't picked up anything about GPPs in your earlier posts.

              Regarding the screenshot, can you also give the help text or link, but I suspect it is a general warning rather than a "do not"

              What is wrong with the usual mechanism with trusted domains - add a user or group from domain A to a group in domain B with permissions on the resource?
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Create Local Admin Account Through GPO

                Sorry, my crystal ball must be failing again as I hadn't picked up anything about GPPs in your earlier posts.
                Doesn't pushing out an account via GPO imply using GPP, since that's the standard way to do it?


                Regarding the screenshot, can you also give the help text or link, but I suspect it is a general warning rather than a "do not"
                Here is the official MS article that mentions disabling the ability to push out an account with a specified password:


                support.microsoft.com/en-us/kb/2962486/en-us


                They provide a PowerShell script to change passwords, but I wanted to push everything out through a GP setting.


                What is wrong with the usual mechanism with trusted domains - add a user or group from domain A to a group in domain B with permissions on the resource?
                I tried adding my domain admin account "DOMAIN1\DomainAdmin1" to the Domain Admin group on DOMAIN2, but it cannot find the user. I can't select DOMAIN1 as a location to look for users when adding them to groups on DOMAIN2.

                Comment


                • #9
                  Re: Create Local Admin Account Through GPO

                  Any ideas on how to push a local admin account out with specified password? I guess I'd be willing to use PowerShell if Group Policy isn't an option.

                  Comment


                  • #10
                    Re: Create Local Admin Account Through GPO

                    Originally posted by blashmet
                    Doesn't pushing out an account via GPO imply using GPP, since that's the standard way to do it?
                    No it doesn't. In our world, of TCP, it is the responsibility of the SENDER to make sure the RECIPIENT (reader) understands the message. If this is not the case then the SENDER is required to resend the message so it is understood.
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Re: Create Local Admin Account Through GPO

                      Originally posted by biggles77 View Post
                      No it doesn't. In our world, of TCP, it is the responsibility of the SENDER to make sure the RECIPIENT (reader) understands the message. If this is not the case then the SENDER is required to resend the message so it is understood.
                      I agree the OP should add additional information or clarify if the original post isn't clear.

                      But this isn't really relevant to my question because it asked if what I posted implies something else.

                      An appropriate answer would be either "no, pushing out an account via GPO does not imply using GPP because there are other common ways of doing this" or "yes, it does imply that."

                      In any case, I'd still like to know if there is a way to push out local admin accounts with a specified password, even if PowerShell is the only option.

                      Comment


                      • #12
                        Re: Create Local Admin Account Through GPO

                        Startup/Logon/Logoff/Shutdown Scripts
                        Remote Management
                        SCCM task sequences
                        Remote Powershell
                        Psexec
                        GPPs
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Originally posted by Ossian View Post
                          Re: Create Local Admin Account Through GPO

                          Startup/Logon/Logoff/Shutdown Scripts
                          Remote Management
                          SCCM task sequences
                          Remote Powershell
                          Psexec
                          GPPs
                          I am trying to accomplish the same as blashmet and have came up with the same conclusion. It seems GPO does not support creating a local admin account, as it does not pass password credentials anymore, due to security concerns.

                          I see you give these as other options, but we are asking for help on how to use these options to achieve what we are going for - creating a local admin account on a pool of workstations, passing a specific username and password.

                          Comment


                          • #14
                            Originally posted by blashmet View Post
                            Re: Create Local Admin Account Through GPO



                            Doesn't pushing out an account via GPO imply using GPP, since that's the standard way to do it?




                            Here is the official MS article that mentions disabling the ability to push out an account with a specified password:


                            support.microsoft.com/en-us/kb/2962486/en-us


                            They provide a PowerShell script to change passwords, but I wanted to push everything out through a GP setting.




                            I tried adding my domain admin account "DOMAIN1\DomainAdmin1" to the Domain Admin group on DOMAIN2, but it cannot find the user. I can't select DOMAIN1 as a location to look for users when adding them to groups on DOMAIN2.

                            I have also came across this MS article mentioning disanling the ability to push out accounts with specified password. Here is a quote on the workaround they suggest, but this is my problem: "This workaround does require a connection to Active Directory Domain Services when the user is logged on by using these credentials."

                            I need to be able to log on LOCALLY without DOMAIN\Username. I want LOCALMACHINE\Username.

                            Comment


                            • #15
                              Here is a tool to manage the local administrator account on all domain joined computers.
                              https://code.msdn.microsoft.com/Solu...nt-of-ae44e789

                              It facilitates assigning long, random passwords to the local administrator accounts and stores the info in secure AD properties. It also handles changing the passwords on a regular basis and updating AD with the info.

                              Regards,
                              Jeremy

                              Network Consultant/Engineer
                              Baltimore - Washington area and beyond
                              www.gma-cpa.com

                              Comment

                              Working...
                              X