Using GPO to control Local Administrators group

I read an excellent article on how to populate the Local Administrators group via Group Policy Objects (GPO): http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

However, after following the instructions to the letter, I could only populate the Local Administrators group with the builtin\administrator user account; the other groups I specified were simply ignored.

Here’s how I fixed the issue:

The answer was to make sure the builtin\administrator account was added last:

  1. Create a new GPO and navigate to Computer Configuration > Preferences > Control Panel Settings > Local User and Groups.
  2. Right-click in the space and choose New > Local Group:
  3. Add your groups, but make sure you enter builtin\administrator last:
  4. Confirm the members of the Local Administrators group on the client PC:
  5. Smile inwardly because this is cool, and you know it!

EDIT:

Ok, what’s not so cool is forgetting that the built-in Administrator account is disabled on many of our Win7 laptops, therefore locking the local Administrator out; there was also a strange network issue with several HP laptops, which prevented network connections.

Now, with no local users in the local Administrators group, there was no user with enough permissions to add a local Administrator. Catch 22!

The solution was to download the excellent Trinity Rescue Kit, then boot up the laptops with a freshly burnt CD and run Winpass. Using Winpass I was able to enable the local Administrator account, and add it to the local Administrators group. Phew!