Posted on 2005-03-09
Medium Priority
Last Modified: 2010-04-10
Hi There

I have got many 3rd party apps running on our system which need updates and deployments to our client machines.

I have recently removed the local user account of the local machine so that the users cannot install, remove or change any settings on there pc's which is working great.

But, this has created many problems with regard to updates, installs to the clients via login scripts and so on.

If i recreate the local account on the local machine giving the user admin rights to his pc so that when the login scripts process it will have the rights to install, config or update. Will i still be able to not allow the user to install or change any settings?

Most of those settings come from our domain policy.  If i creat the local acount for that user on his/her pc with admin rights to that machine will it override the domain policy?

What can I do?

I dont want the user to be able to fiddle, change, remove or install anything onto there machines.

Another problem is, with there being no local account on the local machine certain apps will not run correctly unless i grant that user admin rights and in some cases.  I even tried giving them power user rights which will not work iether.

typically, the user which i dont want to fiddle around is the one who needs admin rights to his pc in order for his apps to work correctly.

Question by:hitechauto
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 13497010
Why dont you create an Organizational Unit crate a group policy at the OU, add all the people that you dont want to let change/install any apps in and crate a group policy at the local computer. Like do not change/install apps software.
So doing that nobody in that new OU will be able to do what they want. You will be in charge. If you have conflicts with any more policies above the new one you just block inherritance.

I hope this will give you an idea.

LVL 25

Accepted Solution

mikeleebrla earned 2000 total points
ID: 13497241
ok,, your users dont need local accounts at all to install updates on these machines.  they do however need local administrative rights IE put them in the LOCAL administrator group of each workstation.  This is done by opening the local users and groups snap in (lusrmgr.msc) and adding their domain accounts to the local administrator group.    This way they are logging into the domain (and getting your domain GPOs) but still have rights to do updates.  THEY HAVE TO BE IN THE LOCAL ADMINISTRATOR GROUP TO DO UPDATES/INSTALLS. This topic has been discussed MANY times on this website and the end result is always the same:  if users need to do administrative tasks to their machines (such as doing updates) then they have to be in the local admin group.   The only local account any compuer needs that is a member of a domain is the local administrator account.  That way once the computer is removed from the domain, the local administrator will be able to log into it.

Author Comment

ID: 13503666
ATTENTION: "mikeleebrla"

As to your answer my question is:

Would i have to add the client username to the local machine admin group at each and every client machine or can I do this from the domain? If so, How?

Now with all clients having local admin rights to the local machine, they are now open for installing apps, utills and software anytime they like.  We have installed all necessary apps and software that they need, now we want to lock down so that they cannot install anything.  (How do I do this in the GPO and where?)  But still need the client to have admin rights to the local machine due to antivirus updates and installs that may be needed.

Would i have to do this in the Computer config or userconfig in the domain pol?

The problem is, applications come in diff, formats i.e (exe, bat,, com, zip, msi and so on) how do i block all that?? can I?
LVL 25

Expert Comment

ID: 13507271
well you cant have it both ways,, either they are in the admin group are they aren't, which means that they can install apps or they can't.  If you read your last statment it says:

now we want to lock down so that they cannot install anything

then it says

But still need the client to have admin rights to the local machine due to antivirus updates and installs that may be needed

you can't have it both ways!!!!!

but to answer your question about adding the domain users to the local admin group...  there are 2 ways you can do it without having to go to each physical computer:

There are two ways you can do this.

1.  you dont have to phycially go around to every machine. you can connect to remote computers via MMC and access the local users and groups console of every  PC remotely.  so it could all be done from one compter while you were logged in with a domain admin account.  Of course this would still take a long time if you have alot of computers on your network.

2.  how to add domain groups to local admin group:


Featured Post

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Make the most of your online learning experience.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question