My apologies, I didnt explain that very good.
The way it works is like this:
1. A user (in this case only Systems Analysts) request to be local admins to test applications on their test boxes
2. They submit an ITSM ticket
3. I get the ticket
4. I then email them a hyperlink to an InfoPath web form that i created and published to my team’s SharePoint site
5. The user then fills out the form with all the computers they need to be admins on
6. User then submits the form
7. My team’s Exchange Distribution List is then notified that a request has come in for a user to be granted local admin rights on a computer(s)
8. I then run my PowerShell script that does the following:
- Creates the AD groups %computername%-adm
- Adds user to that AD group
- Adds that group to the local admin group on those computers
We use a restricted group GPO with policy preferences that allows %computername-adm AD groups to be members of the local admin group on systems. Anything else is stripped out of the local admin group, with the exception of my team’s AD group.
Does that make more sense?