How to build a policy that give local users administrative rights on the local computer without making them and administrator on the domain.

Frank McCourryV.P. Holland Computers, Inc.
Some of us want to loosen up our control on the local computer and really does not matter to us what the user does with it as long as they don’t inflict damage on the domain. By default, Windows makes Domain Admins a local administrator on all computers that are a member of the domain. But domain users are still restricted, this is especially true of Windows XP computers. (Yes there are many of us still using them!)

Here is how you can give a domain user administrative access on their local computer but not make them an administrator on your domain.

Follow these steps:
1. Open Group Policy Management
2. Create a new policy and call it “Local Administrators”
3. Edit the new policy
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
5. Right click in the right pane and select Add Group
6. Name the group “Administrators” and click Ok
7. Double Click the group you just created and add users or groups in the upper pane (Members of this group:) as necessary. Don’t forget to add Domain Admins!
8. In the lower pane (This group is a member of:), Click add and type Administrators. Click Ok
9. Click Ok
10. Close the editor
11. Apply the policy to the appropriate OU’s (Organizational Units or containers as some of us refer to them)

Reboot the computers and Viola! Your users can now destroy their machines in record time! Without your help!

Some things to remember about group policy implementation:
1. Rarely does a policy take effect on the first reboot.  I've had to reboot computer 3 or 4 times on occasion to get a policy to take.
2. Have patience!  Active Directory typically takes 15 minutes or so to replicate.  Your policy changes may take up to 3 cycles to completely replicate.
3. You can use gpupdate /force /wait:0 to force the update.  Do it on the DC's first then the workstations.
4. Always use a separate policy for  groups of changes.  ie... firewall changes should all be in a policy named "Firewall".  By doing this you will be able to troubleshoot more efficiently.
5. BACKUP, BACKUP BACKUP! - Before making changes!

See this article and more on my XpertNotes.Net - Frank McCourry's Blog
Frank McCourryV.P. Holland Computers, Inc.

Comments (2)

Albert WidjajaIT Professional


5. BACKUP, BACKUP BACKUP! - Before making changes!

What to backup when making change on the Group Policy ?
Frank McCourryV.P. Holland Computers, Inc.


Backups are important if you change an existing policy, or create a policy that can affect access to files and or settings.  This particular policy would be easy to reverse, but imagine creating a policy that affected the ability of an administrator to access Active Directory Objects (ADO) or Group Policy Objects (GPO).  As to the what - Always be sure you have a backup of the domain controllers System State, which includes Active Directory.  

I stress BACKUP BACKUP BACKUP, because without backups, you may have no other way to undo a change that causes you to lose access to something important.  This is more of a generic statement reminding us to pay attention to and plot a way to reverse our changes .  Obviously, your environment, your policies and your tolerance level will dictate to what extent you follow that advise.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.