-1

Would like to know if it's possible to add a domain computer object to its own build-in local group via GPO.

Assume that the domain is abc.com.

Example:

If I had a computer object where the %computername% is Server01. It is a member server. After logging in to it, checking local users and groups, I have a built-in administrators group. I would like to add Server01 to this group via GPO.

Is the above possible? I'm asking as I have to do the same for quite many host machines so doing so manually is out of the question. Also would prefer to be done via GPO as these VMs has been hardened so firewall rules are heavily enforced. Stuff like WinRM via PowerShell will NOT work.

Aulis Ronkainen
  • 2,612
  • 42
  • 29
  • 27
Wilson Toh
  • 1
  • 2
  • What's the goal of this, exactly? (I thought the computer object was only relevant for _network_ credentials?) – u1686_grawity Jul 18 '19 at 09:38
  • @grawity I can't see any valid reason for this either. Maybe an X-Y problem. – Tonny Jul 18 '19 at 09:42
  • You may add a domain account to local administrators, but not a computer. – harrymc Jul 18 '19 at 10:13
  • 1
    Possible duplicate of [How to add a domain user to Administrators group in Windows 10](https://superuser.com/questions/954159/how-to-add-a-domain-user-to-administrators-group-in-windows-10) – harrymc Jul 18 '19 at 10:16
  • I was told that this is needed in order to solve the crepSSP issue. I have already set the required setting to "vulnerable" and have been pushed down to my servers. However, SCVMM is still complaining about this credSSP issue and any MSTSC sessions will intermittently lose connection anywhere between 15mins to maybe a couple of hours. Obviously updating them to the latest patch will solve this issue but this is not possible in a production environment. I was informed that adding the computer object to the default built-in administrators group worked which is what I observed as well. – Wilson Toh Jul 19 '19 at 08:03
  • Also I just realized I meant to add this to the physical host not VMs. Edited the question. – Wilson Toh Jul 19 '19 at 08:28
  • @harrymc I'm very sure you can add the computer object to the built-in administrators group as that is what we have on several servers at the moment. You may want to test this in a lab. – Wilson Toh Jul 19 '19 at 08:32

1 Answers1

0

According to [this post](, if it applies to your case) the following PowerShell code may do it:

$Group = [ADSI]"WinNT://MyComputer/MyGroup,group"
$Computer = [ADSI]"WinNT://MyDomain/OtherComputer$"
$Group.Add($Computer.Path)

It is noted in the post that the code will not work for a remote computer without the $ at the end of the string for $Computer.

harrymc
  • 455,459
  • 31
  • 526
  • 924