Create policy to put users/groups in local admin group…


i want to put ie my service account named _svc_vmmservice to the local admin group in my vmm nodes. following the microsoft AGLP (accounts->global groups->local groups->permissions) first i create a global group named “_gg_localAdminVMM” and a local group named “_lg_localAdminVMM” – put _svc_vmmservice in global group and put global group in local group:

…in addition you need a Group for VMM servers/nodes (not users) – do the same for VMM servers:

Create Policy:


…remove “Authenticated users” and change scope of this policy to VMM servers group:

…dont forget to link this GPO to your ServerOU..

time to apply this new policy with:

…you can check it with the command:

…before gpupdate:

and after gpupdate:



HINT: if you dont see your policy applied and you have created the computer group for your VMM servers a short time before – you have to reboot your VMM servers to apply the membership of the group first!