You can create GPO(Group Policy Objects) and link the GPO to a domain or OU(Organization Unit) containing all the computers. Below are the steps to follow,
Step 1: Creating a Security Group
First, you need to create a security group called Group Local Admininistrators
- Log onto a Domain Controller, open Active Directory Users and Computers (dsa.msc)
- Create a security Group name it Group Local Admininistrators . From Menu Select Action | New | Group
- Name the group as Group Local Admininistrators.
- Add the Help Desk members to the Group Local Admininistrators group. I will add two users say, itadmin.
Step 2: Create a Group Policy.
Next, you need to create a group policy called “Local Admin GPO”
- Open Group Policy Management Console ( gpmc.msc )
- Right click on Group Policy Objects and select New.
- Type the name of the policy “GPO-Local Admin ALL PCs”
Step 3: Configure the policy to add the “Local Admin” group as Administrators
Here you will add the Group Local Admininistrators group to the GPO-Local Admin ALL PCS policy and put them in the groups you wish them to use.
- Right click “ Group Local Admininistrators” Policy then select Edit.
- Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
- In the Left pane on RestrictedGroups, Right Click and select “Add Group“
- In the Add Group dialog box, select browse and type Group Local Admininistrators and then click“Check Names“
- Click OK twice to close the dialog box.
- Click Add under “This group is a member of:”
- Add the “Administrators” Group.
- Add “Remote Desktop Users”
- Click OK twice
NOTE: When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Local Admin” in that group.
- In Group policy management console, right click on the domain or the OU and select Link an Existing GPO
- Select the GPO-Local Admin ALL PCs
Step 5: Testing GPOs
Log on to a PC which is joined to the domain and then run gpupdate /force and check the local administrator’s group. You should see Group Local Admininistrators in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Tom and Bob domain users can now access all PCs remotely as a local administrator.