Add domain user to local admins but on logon

[IAmATeaf]

I know how to do this as a Computer Policy but is there a way to do this when a user logs on?

Background, pooled VDIs, some users need local admin but using a group of users and then adding that group to local admins means that any local admin user potentially also has local admin rights on other running VMs.

So checking who the user is and then deciding to add them to local admin would resolve the above but I can’t seem to find a nice/tidy way to do this. I know I could probably do something with a scheduled task but much rather prefer to do this via group policies.

 

[IAmATeaf]

Cheers for the answers guys.

Did some testing a few days back and you are absolutely correct in that having this as a GPP in the user context does mean that as the user has effectively logged on at that stage their token doesn't reflect their local admin group membership, so they aren't a true local admin. What is interesting is that if they then launch an app as admin and at the username/password dialog enter their own credentials it does recognise that the user is a member of local admin and runs the task as an administrator.

In the end what I ended up testing is to make INTERACTIVE USER a member of local admins and use a targeting rule so that there is some control/logic in terms of who becomes/has local admin rights. Might not use this but is an option and might have to fallback to a 1 to 1 user to VDI mapping for users that need local admin.

As these are pooled VDI, with a user personalisation layer, they effectively get reset on logoff so the local admin group gets reset.