Some of us want to loosen up our control on the local computer and really does not matter to us what the user does with it as long as they don’t inflict damage on the domain. By default, Windows makes Domain Admins a local administrator on all computers that are a member of the domain. But domain users are still restricted, this is especially true of Windows XP computers. (Yes there are many of us still using them!)
Here is how you can give a domain user administrative access on their local computer but not make them an administrator on your domain.
Follow these steps:
1. Open Group Policy Management
2. Create a new policy and call it “Local Administrators”
3. Edit the new policy
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
5. Right click in the right pane and select Add Group
6. Name the group “Administrators” and click Ok
7. Double Click the group you just created and add users or groups in the upper pane (Members of this group:) as necessary. Don’t forget to add Domain Admins!
8. In the lower pane (This group is a member of:), Click add and type Administrators. Click Ok
9. Click Ok
10. Close the editor
11. Apply the policy to the appropriate OU’s (Organizational Units or containers as some of us refer to them)
Reboot the computers and Viola! Your users can now destroy their machines in record time! Without your help!
Some things to remember about group policy implementation:
1. Rarely does a policy take effect on the first reboot. I've had to reboot computer 3 or 4 times on occasion to get a policy to take.
2. Have patience! Active Directory typically takes 15 minutes or so to replicate. Your policy changes may take up to 3 cycles to completely replicate.
3. You can use gpupdate /force /wait:0 to force the update. Do it on the DC's first then the workstations.
4. Always use a separate policy for groups of changes. ie... firewall changes should all be in a policy named "Firewall". By doing this you will be able to troubleshoot more efficiently.
5. BACKUP, BACKUP BACKUP! - Before making changes!
See this article and more on my
XpertNotes.Net - Frank McCourry's Blog
What to backup when making change on the Group Policy ?
I stress BACKUP BACKUP BACKUP, because without backups, you may have no other way to undo a change that causes you to lose access to something important. This is more of a generic statement reminding us to pay attention to and plot a way to reverse our changes . Obviously, your environment, your policies and your tolerance level will dictate to what extent you follow that advise.