Local Admin GPO Updates

Reminder: a brief overview of fleetwide policies is available here.

As of 5pm on 9/25, we’ll be changing the way our local admin GPO functions. Currently, the GPO attempts to do the following:

  • Create/set the local Support account (This fails 100% of the time and just generates event log entries)
  • Create/set the local SupportRemote account (This fails 100% of the time and just generates event log entries)
  • Add the local Support account to the local administrators group
  • Add the local SupportRemote account to the local administrators group
  • Add the CN\Desktop Admins group (our network admin accounts) to the local administrators group

After the change, a new policy (Windows – Local Administrators) will do the following:

  • Add the local Support account to the local administrators group
  • Add the CN\Desktop Admins group to the local administrators group
  • Remove the local SupportRemote account from the local administrators group

The local Support/SupportRemote accounts are created as part of the build process, so they don’t need to be created via policy.

The important change is that after a machine processes this new policy, SupportRemote will not be an admin on machines. This is a good thing as we typically give out the password to anyone who asks (or as part of normal troubleshooting), and we really don’t want to be inadvertently giving out admin credentials to the fleet.

If customers call in looking for help because they were expecting to use SupportRemote as an admin account, we should help them get a regular Lastname_F local admin account set up. (See this KB article for details).

If a customer was using the SupportRemote account to manage multiple machines, chat with Ben about getting a network user plus account spun up for them.