It was quite straight forward to import all computer accounts to FIM and use my codeless provisioning framework to create a rule to provision a group to the AD MA for each computer account. Using the codeless framework there was no need to have all computer accounts go to the FIM Service. We provisioned every computer group using the naming convention <computername>-LocalAdmin and afterwards brought the new groups into FIM using another MA - and configured appropriate approval workflows to allow users to request membership of the groups.
The provisioning rule created looked like this (you can read more about the provisioning rules here) -
<Name>Provision local admin group to ad</Name>
<Description>Only if contact has samaccountname</Description>
Now, the question remained; how do we effectively get these new computer groups added to the Local Administrator group of each computer, both existing and new computer accounts? Oh, no, it wasn't using PowerShell this time, although I was tempted.
I had a chat with a good colleague of mine from Inceptio, Risto Petersen. Risto is an Active Directory wizard and he had just the recipe; to add a machine specific group to the local Administrators group of every server and/or workstation, you can deploy a Group Policy (GPO) utilizing Computer Configuration Preferences. The steps are -
- Create a naming standard for your groups including the computername in the group name. In this example I will use <computername>-LocalAdmin, so that for the computer PC1 the group is PC1-LocalAdmin
- Create the necessary groups, one for each computer object. Use scripting or FIM or some other tool. Remember to keep groups in sync with computer objects; i.e. when a computer is deleted the group should also be deleted.
- Create a GPO and link it to where your computer objects live in AD
- Edit this new GPO
- Go to “Computer Configuration”
- Go to “Preferences”
- Go to “Control Panel Settings”
- Go to “Local Users and Groups”
- Create a new “Local Group” object for the “Builtin Administrators” group
- Set the action to “Update”
- In the Members section add “%COMPUTERNAME%-LocalAdmin” or what your naming standard dictates
- You might also want to add another general group like “ALL-COMPUTERS-LocalAdmin” to easily delegate rights to all computers
A great thank you goes to Risto for this trick - and combining this setup with FIM's self service features, you have a relative simple solution to allow your users access to local administrator permissions.