How to manage local administrator accounts on Windows Servers and Workstations using Group Policy

Thanks for watching!

This is a tough one. Usually, people just end up with local administrator permissions on the servers they need to manage. This removes the need for them to have domain admin accounts.
This method is still overkill as most things don't require full local administrator access. The problem with just trying to use the principle of least privilege is that it's quite hard to manage and also takes a lot of time and effort to get correct.
This doesn't really answer your question as it really depends on each network, what your risk tolerance is, how secure accounts are, and mainly, how likely the user is to destroy the network if they're given too much access.
Thanks for watching!

It won't make any difference. As long as the servers and workstations are within the Company OU, then it will work fine.
In these guides, I just link directly to the domain, as it's easier to explain and it will guarantee that it will work if someone copies the setup.
Thanks for watching!

You can disable the local administrator account and accounts added to the security groups will still work.
Thanks for watching!

This method doesn't work if you are also using Restricted Groups.
Thanks for watching!

If you're getting access denied, you need to use an account with administrator permissions on the workstation to access the local users and groups.
Thanks for watching!

@@danny_moran Thanks for your support.

What's the issue?

This method pushes a security group to the local Administrators group of servers and/or workstations.
When you login, you will want to use the domain user account of a member of the security group, and not a local user account.
This method doesn't create a local user account, which is why you are getting an error.
Thanks for watching!

@@danny_moran a few years ago, in production environment there became an issue when all domain users were not getting logged into the their accounts because of some domain trust relationship issue and while those computers were joined to domain, I disabled all their local admin accounts and no other account was created. I also could not log in using a domain admin account and that was a wasted day. If such a thing happens again (AD not authenticating logins for whatever reason), will this account which is created to mimic local admin account still work to login into windows even temporarily

@@danny_moran no, thank you sir for your amazing videos and the fact you reply all questions. Great job 👍

I added a question to this topic but I cannot find it in comments so I am posting again sir,
A couple of years ago, when I was testing a domain and deployed it in a production environment, for some unknown reason the domain started declining logins due to security trust relationship between client and AD. When I had joined those machines to domain, I disabled all local accounts including a local admin account. So you can imagine, no user was able to login to his computer and I had to go a long way to do workaround and it wasted their time and mine.
My question is that if such an issue happens again for whatever reason, would this account which is created to mimic the local admin account will let me login into the computer even temporarily to backup the data of the user.?
Or will it still require authentication from AD? Local admin account lets you login even if the domain has some problem but if I disabled local admin account for security reasons and trust the account created as in this video, will it benefit me?

You should look into setting up LAPS. This will set a random password for the local Administrator account on all the workstations and store the password in AD. Then if you need to login to the machine using a local admin, then you can get the password from AD.
How to setup and deploy LAPS (Local Administrator Password Solution): th-cam.com/video/iI1XA2G420U/w-d-xo.html

Hi, I wouldn't recommend using Group Policy to update the local administrator password for workstations.
You should look into using a tool called Local Administrator Password Solution (LAPS), which is published by Microsoft.
You can download it from Microsoft here: www.microsoft.com/en-us/download/details.aspx?id=46899
Thanks for watching!

@@danny_moran Is there any issue using LAPS in existing Exchange 2013 hybrid environment?

I can't see why there would be any issues. LAPS just updates the local administrator password and stores it within active directory.
I would recommend testing it in a lab before deploying into production if you have never used LAPS before.

Hi, some of the original videos were created using a cheap headset. The newer videos are using a standalone microphone and should have better audio.
Thank you for your feedback, and thanks for watching!

@@danny_moran could you rework the bad ones - make like second version of the video - with better audio - especialy the one - deploy Windows 11 using MDT and WDS
when MDT and WDS are out of fashion now - Microsoft is forcing Intune and autopilot - the old fashion method to depoloy OS ist still of value as it is free - Intine and cloud costs - next them need bandwith on internet - this is not everwhere available

My plan is to refresh all of the videos I have created now that I have better equipment and have more of an understanding of video production. I'm not sure when I will get around to doing that as I have quite a lot on at the moment.
I also plan on focusing more on Microsoft Azure and Microsoft 365 at some point in the future, but I haven't made the time to start doing that yet, unfortunately.