As I am building a small virtual network of machines for development purposes, I figured I might as well try to do things the right way instead of just running everything as Domain Administrator for the sake of convenience 🙂
Given that my main platform focus is Windows 10 / Server 2016 currently, I want to do as much as possible in a structured manner so I am setting up my AD structure. Tto keep things simple, I have an Organizational Unit (OU) for my user accounts, and one for the computers in my virtual network.
And while that’s not a technical inconvenience, I prefer to have only things at the Domain root level that I want to apply to everything including Domain Controllers. Group Policy makes everything convenient and easy, including shooting yourself in the foot. And if you mess up the Domain Controllers, it will take your entire leg off. So I make an OU for users and one for computers in order to have better places to which to apply GPOs.
The first thing I want to configure is Local System Security. This is a generic title for everything in the category ‘I want to allow X to do Y, or enable Z’. The first order of business is configuring who gets to be an Administrator on the local machine. By default, that would be ‘Administrator’ and ‘Domain Administrators’. I want to add another group so that all group members get to be a Local Admin without having to be a Domain Admin, or without having to manually add individual users. Thankfully, Group Policy makes this trivial. I simply configure the following setting in my Local System Security GPO:
Because this GPO is only applied to the Computers OU, the Domain Controllers are left out of scope.