I can see by your question you've taken the time to think about how to leverage group policies in order to grant local admin access rights. I don't see anything wrong with your scenario.
I think what makes this work is the use of the Global Policy Object (GPO). The purpose of GPOs is to get around the fact that various users with similar access requirements may not be in the same Organizational Unit (OU) in the directory. As you stated, once you set up a domain global security group to the GPO, it can then be linked to sites, domains and OUs containing the administrator user objects. The GPO script would then be linked to the local administrator group of the user's computer. It makes perfect sense.
For more information:
- How do group policy objects and the 'Password Never Expires' flag interact? Read more.
- Learn more about using batch files for temporary local admin rights.
Dig deeper on Enterprise User Provisioning Tools
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.