Help Center/ Workspace/ User Guide (Application Streaming)/ Administrator Operation Guide/ FAQs/ How Do I Use the GPO Group Policy to Make a Domain User Become a Local Administrator of a PC?
Updated on 2024-03-15 GMT+08:00

How Do I Use the GPO Group Policy to Make a Domain User Become a Local Administrator of a PC?

The AD domain administrator can specify a domain user as the local administrator of the PC. The domain user has some permissions of the AD domain administrator and can maintain the functions of the domain server of the Workspace Application Streaming service, for example, updating applications. As a dedicated domain administrator of Workspace Application Streaming, you can improve the security of domain servers and improve maintenance efficiency.

Creating a security group

  1. Log in to the AD server as the administrator and open Server Manager.
  2. Choose Tools > Active Directory Users and Computers.
  3. Right-click a domain and choose New > Group from the shortcut menu.

  4. Enter group information.

    • Set Group name to Local Admin.
    • Set Group scope to Global.
    • Set Group type to Security group.

  5. Click OK.
  6. Right-click the Local Admin group and choose Properties from the shortcut menu. On the Member tab page, add a user (a domain user that needs to be used as the local administrator of the PC).
  7. Click OK.

Creating a GPO group policy

  1. Open the Group Policy Management, right-click Group Policy Objects, and create a GPO named Local Admin GPO.

  2. Click OK.

Configuring the GPO policy

  1. Right-click the GPO created in 8 and choose Edit. The Local Group Policy Editor window is displayed.
  2. In the navigation pane, choose Computer Configuration > Policies > Windows Settings > Security Settings. Right-click Restricted Groups.

  3. Click Add Group.
  4. Add the Local Admin group created in 7 to the restricted group list.

  5. Expand the restricted group list, right-click the added Local Admin group, and choose Properties from the shortcut menu.

  6. In the This group belongs to area, click Add.

  7. Add the Local Admin group to the Administrators and Remote Desktop Users user groups, and click OK.

Connecting the Local Admin GPO group policy to a specified OU

  1. Open the group policy manager, right-click the OU to which you want to apply the group policy, and choose Connect existing GPOs from the shortcut menu.
  2. On the GPO list page, select Local Admin GPO and click OK.

Verifying whether the group policy is configured successfully

  1. Add a local PC to the domain where Workspace Application Streaming resides and add the PC to the OU to which the group policy has been applied (for example, aps OUS in 18). For details, see How Do I Add an ECS to the Domain of an APS?.
  2. Run the following command to open the Local Users and Groups page:

    lusrmgr.msc

  3. Click Groups, right-click the Administrators user group, and choose Properties from the shortcut menu to check whether the Local Admin group member is included.

  4. Right-click the Remote Desktop Users user group and choose Properties from the shortcut menu to check whether the Local Admin group member is included.

  5. Restart and log in to the PC, open the cmd CLI, and run the following command to perform forcible update:

    gpupdate /force