Task: How to remote desktop all the PCs in the domain without using domain administrator account.
You can create GPO and link the GPO to domain or OU containing all the computers.
Step 1 : Creating a Security Group
First you need to create a security group called Local Admin
- Log onto a Domain Controller, open Active Directory Users and Computers (dsa.msc)
- Create a security Group name it Local Admin
- Add the Help Desk members. I will add two users say Tom and Bob.
Step 2: Create Group Policy.
Next you need to create a group policy called “Local Admin GPO”
- Open Group Policy Management Console ( gpmc.msc )
- Right click on Group Policy Objects and Select New.
- Type the name “Local Admin GPO“
- You need to configure and link this GPO to OU or Domain.
Step 3: Configure the policy to add the “Local Admin” group as Administrators
Here you will add the Local Admin group to the Local Admin GPO policy and put them in the groups you wish them to use.
- Right click “Local Admin GPO” Policy then select Edit.
- Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
- In the Left pane on Restricted Groups, Right Click and select “Add Group“
- In the Add Group, select browse and type Local Admin and then click “Check Names“
- Click OK
- Click Add under “This group is a member of:”
- Add the “Administrators” Group.
- Add “Remote Desktop Users”
- Click OK twice
NOTE# When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Local Admin” in that group.
Step 4: Linking GPO
- In Group policy management console, right click on the domain and select Link an Existing GPO
- Select the Local Admin GPO
Step 5: Testing GPOs
Log on to a PC which is join to the domain and then run gpupdate /force and check the local administrators group. You should see Local Admin in that group now.
Tom and Bob help desk admins can now access all PCs remotely as a local administrator.