We want to be able to add users to Administrators group on a local computer for only a specific Sub OU as we have a Default Computer Configuration policy to strip members from Administrators OU at root level of the domain.
Tried to create a new GPO to add the members and excluding this SUb OU from Default computer configuration Policy by targeting but doesnot seem to work as we wanted it as the default computer policy (the only bit to "Delete all member Users") still applies to that sub OU.
Can you please advise how to fix this, the below is the procedure we followed:
We have a Default Computer Configuration Policy Which does the below:
Default Computer Settings GPO have been set as below:
Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups -> Administrators (built-in) group.
This group setting has the below Check Boxes Ticked
Delete all member users
Delete all member groups
and to add the below members:
Domain Admins, All Staff, Delegation - Remote Desktop Administration Groups under members
and then under the Common Tab and Targeting ie enabled to target Different OUS which have sub OU's
( example is domain is
test.net
and under test we have OU's like Dept1, Dept2
and under Dept1 OU we have Sub OU's team1, team2, team3
We want to implement a Policy to exclude team3 to delete the users from Administrators group, we tried to do this as below:
Under the Default Computer Configuration Policy:
- Navigate to Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Computers
- Select Administrators (built-in) with order 2 and make sure that this have Domain Admins, All Staff, Delegation - Remote Desktop Administration Groups under members and then go to Common Tab and click on Targeting and add the below:
New Item -> Organizational Unit -> and under Item Option Select "Is Not" and add "team3"
- Click Ok and then Apply.
Created a new Policy as OU TEAM3 Computer Settings
- OU Team3 Computer Settings' option at the top of the tree and select Properties.
- In the General tab, check the box for 'Disable User Configuration settings'.
- Click OK.
- In the console tree, expand Computer Configuration -> Preferences -> Control Panel Settings and select 'Local Users and Groups'.
- In the white space of the Action pane, right-click and select New -> Local User.
- In the New Local User Properties dialog, select the User name: 'Administrator (built-in)' from the drop down. Select OK.
- Create a new Local Group by right-clicking into the Action pane and selecting New -> Local Group.
- In the 'New Local Group Properties' dialog, select the Group Name from the drop down menu: 'Administrators (built-in)'
- Check the 'Delete all member groups' checkbox.
- In the 'Members' section, select 'Add...'
- In the 'Local Group Member' add Domain Admins, Delegation - Remote Desktop Administration, AllStaff.
- Click OK.
But even after this policy when we add members to administrators on the computers at that location (Team3 Sub OU) the default computer configuration policy is still stripping the users.