You may have a need to setup a group of users to allow local administrative access on workstations. In a domain environment this can easily be achieved with Restricted Groups and Group Policies.
This article will demonstrate how to do this easily and how to manage which computers receive the policy.
Step 1 – Creating the Group Policy
Using the Group Policy Management Console(GPMC) we can create a Group Policy. I like to give all my Group Policies a relevant name and prefix but you may have something different in your organisation.
I am going to call min PERM_ClientLocalAdminPermi
The PERM allows me to quickly identify this policy as being related to permissions and then a descriptive name.
Launch the GPMC and locate the Group Policy Objects container. Right Click and select New. Enter the policy name as shown below and click OK
Once done, locate your policy in the list, right click and select Edit
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups (as shown below)
You now need to do the following:
Right Click on Restricted Groups and select Add Group
Click the Browse button
In the Enter the object names to select check box enter the name of the group you want to add to the local Administrators group
In the This group is a member of dialog box click Add
Click Locations and ensure your local machine is selected
In the Enter the object names to select check box enter Administrators
Click OK and then OK again.
Step 2 – Assigning the Policy
It’s not possible to assign a Group Policy to the default computers container. So you will either need to do this at the root Domain level, which I wouldn’t recommend because it would also be applied to servers (by default) or create a new Organisational Unit (OU), move all the computer objects in here and then assign the policy.
To create a new OU launch Active Directory Users and Computers, right click on the domain name at the top and select New and then OU.
Enter the name for your new OU and then click OK.
You can then move the computer objects from the default Computers container in to your new OU, either by dragging or dropping them, or by right clicking and selecting Move.
If you do not wish to apply this policy to all computers then only copy the computer object you want.
Once this has been completed we can link the new Group Policy we have created to the new OU.
To do this, using GPMC navigate to your new OU and right click on it. Select Link an Existing GPO then locate your new Group Policy in the list and click OK.
You have now assigned a Group Policy to add all members of a Domain Group to the local Administrators group on all computers located in your new Organisational Unit.