How to build a policy that give local users administrative rights on the local computer without making them and administrator on the domain.

Published on
10,019 Points
1 Endorsement
Last Modified:
Some of us want to loosen up our control on the local computer and really does not matter to us what the user does with it as long as they don’t inflict damage on the domain. By default, Windows makes Domain Admins a local administrator on all computers that are a member of the domain. But domain users are still restricted, this is especially true of Windows XP computers. (Yes there are many of us still using them!)

Here is how you can give a domain user administrative access on their local computer but not make them an administrator on your domain.

Follow these steps:
1. Open Group Policy Management
2. Create a new policy and call it “Local Administrators”
3. Edit the new policy
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
5. Right click in the right pane and select Add Group
6. Name the group “Administrators” and click Ok
7. Double Click the group you just created and add users or groups in the upper pane (Members of this group:) as necessary. Don’t forget to add Domain Admins!
8. In the lower pane (This group is a member of:), Click add and type Administrators. Click Ok
9. Click Ok
10. Close the editor
11. Apply the policy to the appropriate OU’s (Organizational Units or containers as some of us refer to them)

Reboot the computers and Viola! Your users can now destroy their machines in record time! Without your help!

Some things to remember about group policy implementation:
1. Rarely does a policy take effect on the first reboot.  I've had to reboot computer 3 or 4 times on occasion to get a policy to take.
2. Have patience!  Active Directory typically takes 15 minutes or so to replicate.  Your policy changes may take up to 3 cycles to completely replicate.
3. You can use gpupdate /force /wait:0 to force the update.  Do it on the DC's first then the workstations.
4. Always use a separate policy for  groups of changes.  ie... firewall changes should all be in a policy named "Firewall".  By doing this you will be able to troubleshoot more efficiently.
5. BACKUP, BACKUP BACKUP! - Before making changes!

See this article and more on my XpertNotes.Net - Frank McCourry's Blog
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free