Group Policy: Creating and managing Local Groups on Servers and Desktops

How many Windows desktops does your company support? How many servers does your company have to house applications, files, printers, etc? Now, consider that on all of these desktops and servers you must control the local groups that reside on them, considering that some of the servers might be in remote locations and some of the […]

How many Windows desktops does your company support? How many servers does your company have to house applications, files, printers, etc? Now, consider that on all of these desktops and servers you must control the local groups that reside on them, considering that some of the servers might be in remote locations and some of the desktops might be laptops which roam throughout the US or world. If you wanted to create a local group on all of these computers, how would you get that done? Script? What if you wanted to ensure that the local Administrators group to have specific domain groups, such as the Domain Admins? How long would it take to ensure that these settings are complete?

With new Group Policy Preferences, these tasks are easy and certain to apply to all of the desktops and servers that are designed to receive the settings. To administer Group Policy Preferences you need to have a Windows Server 2008 server OR a Windows Vista desktop, which is running SP1 and has the RSAT installed. Both of these environments have the new Group Policy Management

Console (GPMC) installed on them which is required to administer Group Policy Preferences. See my article on Vista and the RSAT at Microsoft Remote Server Administration Tools for Windows Vista.

Creating New Local Groups: The creation of a new local group on numerous desktops can be a daunting task. Group Policy Preferences provide an easy way to accomplish this for nearly all of your Windows desktops and servers. You can create a new local group on a server or desktop by ether targeting the computer object or user object. In most cases when you want to create a new local group, you will target computer objects.

To accomplish this task, create and link a GPO to an organizational unit which contains the computer object you want to target. Edit the GPO and expand Computer Configuration|Preferences|Control Panel Settings|Local Users and Groups. Right click on Local Users and Groups, then select New - Local Group. This will open up the New Local Group dialog box.

To create a new group, select the Create option on the Action drop down list. Then, type in the name of the local group, description for the local group, etc.

Full Article