I have an issue, and i have read all the forums, NONE of what you say works.
at all.
I want a group policy object to apply to all users (authenticated users) (basically everyone!) on ALL machines they log into.
I want it to add the user who signs in to the local group administrators on that PC.
BUT i want it to NOT apply to the main 3 servers, incase they try singing in, that and 1 of the servers is a terminal server.
i have tried creating a security group with the 3 servers in it, and told that group policy object to DENY applying the policy for that group, BUT IT DOESNT WORK.
it seems to completely ignore me. it applys it to all computers all the time, if i even add the computers manually to the gpo and tick "deny" read, "deny" apply policy, it doesnt obey me.
no matter what i do, it will apply.
I need help with this one. i read the other post in the forum but your method which i have tried both of, doesnt have any affect.
there is about 100 users, and most of them sign into the terminal server AND another VDI server which automatically starts up about 25-50 images of Windows 7 Enterprise. - those are the ones they need to automatically be added to the local admin group - since the server just creates or starts up an image right as they log on.
im using an SBS 2008 R2 server for active directory/group policy (it's the domain controller).