This is a security precaution and in my opinion a best practice.Create the GPO This will disable the built-in Administrator account and create a new local administrator.I know I can set general password polices, but don't want to change this for all users. The indicated user account was locked out after repeated logon failures due to a bad password. This event is logged both for local SAM accounts and domain accounts.In the steps below the computer name is DESKTOP01 and the domain name is CONTOSO, we want to add the group “CONTOSO\DESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups. Now go back and repeat steps 3 to 6 until you get to the Local Group Member dialogue box again (see Image 6.). Type “%Domain Name%\%Computer Name% Administrators” in the Name text field and click “OK” (Image 7.) Image 7.The other problem was the “Members” option would override the “Members Of” option so there was really no way of mixing the two modes. Group Policy Preferences can use Variables which enabled you to be very extremely granular in controlling you local admin group while still having “Iron Fist” control. How do I setup a restricted local administrator group?
Click “Add…” again and now click in the “Name:” text field and then press F3.Well again this is where Group Policy Preferences can help. Now we are going to go thorough how to add a uniquely named domain group to the local administrators group without having to set up multiple group policies objects.This scenario is very helpful if you want to grant a single user or group local administrators access on computer but still ensure that no other users or groups can be added without explicitly being approved.When this does happen it is also its almost impossible to discover as you have to run a query every computer to see who is in the local admin group and then figure out which account should be a member.Once solution to this is of course following Microsoft best practice and not give your users local admin access to their PC or Server and in an utopian environment this would be possible but we all live in the real world where managers have admin access to their PC’s and developers are allowed to install any software they want. Since Group Polices were first introduced with Windows 2000 there was an setting called “Restricted Groups” which allows you to control the membership of a group.