Creating Group Policy in UCS - Domain Admins as Local Admins


#1

Hi all, is there any particular way to create a group policy in UCS that will automatically place members of the Domain Admins group as local administrators for each of my domain computers? Currently I do this by going to each machine after adding it to the domain and adding the group “Domain Admins” to the “Administrators” group in Computer Management. I previously had this going automatically via group policy on my Windows DC, hoping to replicate in UCS.

Thanks!


#2

Hi!

this works the same way in UCS as on a Windows AD DC (as long as you have the “Active Directory compatible Domain Controller” App installed on UCS). You can connect to the “AD side” of UCS via the Microsoft Group Policy Management Tool (included in the RSAT package: microsoft.com/en-US/downloa … x?id=45520 ). Then just follow any guide how to make certain Domain Users member of the local “Administrators” group, e.g. this one:
social.technet.microsoft.com/wik … l-pcs.aspx

Best regards,
Michael Grandjean


#3

Thanks Michael, that worked initially, but now for some reason I can’t add a second policy; it tells me “Access Denied”. The first policy worked just fine as written by the TechNet article you posted. Any idea what may have happened to the permissions? I’m not quite sure where to look. I’m using Group Policy Management as my own user, which is a member of Domain Users, Domain Admins, and Enterprise Admins.


#4

According to the search results for “Access denied” in conjunction with GPOs there are multiple causes.

I’d try using the “Administrator” account. Some search results mention missing rights for inherited permissions.


#5

[quote=“ahrnke”]According to the search results for “Access denied” in conjunction with GPOs there are multiple causes.

I’d try using the “Administrator” account. Some search results mention missing rights for inherited permissions.[/quote]

That seems to have worked…Windows permissions can be very odd! Thanks.