Add domain user to local admins but on logon

IAmATeaf · 30 May 2020 at 13:02

I know how to do this as a Computer Policy but is there a way to do this when a user logs on?

Background, pooled VDIs, some users need local admin but using a group of users and then adding that group to local admins means that any local admin user potentially also has local admin rights on other running VMs.

So checking who the user is and then deciding to add them to local admin would resolve the above but I can’t seem to find a nice/tidy way to do this. I know I could probably do something with a scheduled task but much rather prefer to do this via group policies.

LizardKing · 30 May 2020 at 22:24

pretty sure group memberships get processed as you login likely before any script can be set to run so any changes dont take effect until they log out and back in again, having it on logon could be quite tricky.

Im not familiar with VDI's so this may not work.
what you can do is create a security group in ad per server ie "servername_localadmin" (change servername to suit). create a group policy that adds "%computername%_localadmins" to the local machine admins security group. Then just add the users you need to that AD security group that correlates with the server they need admin rights for. (hopefully that makes some sense

)

Or you could probably do something with LAPS, that way the user doesn't get admin rights on there account. its a but more finicky though.

andshrew · 31 May 2020 at 14:12

One of the issues you would have trying to add them to the local admins group during the users logon is that by that point they're already logged on as a standard user and so for their new admin rights to work they would have to log off and back on again - and presumably at that point they would be put on to a new VDI.

The simplest way may be to create a small pool of VDI just for these users that need local admin and then put an AD group only on them to give them the rights they need - or a dedicated VDI.

IAmATeaf · 11 Jun 2020 at 11:26

Cheers for the answers guys.

Did some testing a few days back and you are absolutely correct in that having this as a GPP in the user context does mean that as the user has effectively logged on at that stage their token doesn't reflect their local admin group membership, so they aren't a true local admin. What is interesting is that if they then launch an app as admin and at the username/password dialog enter their own credentials it does recognise that the user is a member of local admin and runs the task as an administrator.

In the end what I ended up testing is to make INTERACTIVE USER a member of local admins and use a targeting rule so that there is some control/logic in terms of who becomes/has local admin rights. Might not use this but is an option and might have to fallback to a 1 to 1 user to VDI mapping for users that need local admin.

As these are pooled VDI, with a user personalisation layer, they effectively get reset on logoff so the local admin group gets reset.