<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

How to build a policy that give local users administrative rights on the local computer without making them and administrator on the domain.

Published on
9,888 Points
3,788 Views
1 Endorsement
Last Modified:
Approved
Some of us want to loosen up our control on the local computer and really does not matter to us what the user does with it as long as they don’t inflict damage on the domain. By default, Windows makes Domain Admins a local administrator on all computers that are a member of the domain. But domain users are still restricted, this is especially true of Windows XP computers. (Yes there are many of us still using them!)

Here is how you can give a domain user administrative access on their local computer but not make them an administrator on your domain.

Follow these steps:
1. Open Group Policy Management
2. Create a new policy and call it “Local Administrators”
3. Edit the new policy
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
5. Right click in the right pane and select Add Group
6. Name the group “Administrators” and click Ok
7. Double Click the group you just created and add users or groups in the upper pane (Members of this group:) as necessary. Don’t forget to add Domain Admins!
8. In the lower pane (This group is a member of:), Click add and type Administrators. Click Ok
9. Click Ok
10. Close the editor
11. Apply the policy to the appropriate OU’s (Organizational Units or containers as some of us refer to them)

Reboot the computers and Viola! Your users can now destroy their machines in record time! Without your help!

Some things to remember about group policy implementation:
1. Rarely does a policy take effect on the first reboot.  I've had to reboot computer 3 or 4 times on occasion to get a policy to take.
2. Have patience!  Active Directory typically takes 15 minutes or so to replicate.  Your policy changes may take up to 3 cycles to completely replicate.
3. You can use gpupdate /force /wait:0 to force the update.  Do it on the DC's first then the workstations.
4. Always use a separate policy for  groups of changes.  ie... firewall changes should all be in a policy named "Firewall".  By doing this you will be able to troubleshoot more efficiently.
5. BACKUP, BACKUP BACKUP! - Before making changes!

See this article and more on my XpertNotes.Net - Frank McCourry's Blog
1
2 Comments
LVL 11

Expert Comment

by:Senior IT System Engineer
Frank,

5. BACKUP, BACKUP BACKUP! - Before making changes!

What to backup when making change on the Group Policy ?
0
LVL 9

Author Comment

by:Frank McCourry
Backups are important if you change an existing policy, or create a policy that can affect access to files and or settings.  This particular policy would be easy to reverse, but imagine creating a policy that affected the ability of an administrator to access Active Directory Objects (ADO) or Group Policy Objects (GPO).  As to the what - Always be sure you have a backup of the domain controllers System State, which includes Active Directory.  

I stress BACKUP BACKUP BACKUP, because without backups, you may have no other way to undo a change that causes you to lose access to something important.  This is more of a generic statement reminding us to pay attention to and plot a way to reverse our changes .  Obviously, your environment, your policies and your tolerance level will dictate to what extent you follow that advise.
0

Featured Post

Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month