ManagedBy in Administrators by GPO/GPP

This is a neat solution, that doesn't use any script, to add the managedBy user on the computer object to the local Administrators group.
Or Remote Desktop Users or any other group you like, of course...

It's easy to limit the usage with the help of Security Filtering or OU structure.

GPO: Preferences -> Control Panel Settings -> Local Users and Groups
New -> Local Group

Local Group tab
Group name: Administrators (Built-In)
Members: %managedByUser%

Common tab
[x] Item-level targeting
-> [Targeting...]
New Item -> LDAP Query
Filter: (&(objectCategory=computer)(objectClass=computer)(cn=%ComputerName%))
Binding: LDAP:
Attribute: managedBy
Environment variable name: managedBy

New Item -> LDAP Query
Filter: (&(objectCategory=user)(objectClass=user)(distinguishedName=%managedBy%))
Binding: LDAP:
Attribute: sAMAccountName
Environment variable name: managedByUser

Edit. Happy to see in the comments that some people have found this post and have use for it 🙂

Comments (15) Trackbacks (0)
  1. Thank you for the post I found it very helpful, was scratching my head on the LDAP ILT and this cleared it up for me.

  2. This is an absolutey inspired method of adding local admins – thank you!!!!

  3. We love you. You just made our PowerShell StartUpScript obsolete

  4. This is an absolutely brilliant idea! Thank You! 🙂

  5. This was exactly what I was after. Although it seems to fail if there’s a local user by the same name as the sAMAccountName on the domain.
    It works consistently if used along the lines of YOUR_DOMAIN\%ManagedByUser%.

  6. Question; We use this to make user local admin on their device. But how can you remove it? Because, when you clear the managed by attribute, the user still remains in de local group Administrators !

    • Late response, sorry about that. There is a checkbox in the GPP to remove all users and/or groups from the local group. you can tick that one and then add the groups/users you like in the same GPP.
      That way when admins adds their colleagues to Administrators their accounts gets removed at next reboot. Pretty sweet 🙂

  7. This works for one user. Does it work for groups to?

    • (&(|((objectCategory=user)(objectClass=user))((objectCategory=group)(objectClass=group)))(distinguishedName=%managedBy%

  8. Thank you for this
    If you change


    Now it works with group / user

  9. Thanks. Great way to add specific user or groups to local admins.

  10. How do you force it to only scan a specific OU?

  11. Nevermind. I overlooked the option to apply it to machines in a specific OU while excluding others.

Leave a comment

No trackbacks yet.