• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 258
  • Last Modified:


Hi There

I have got many 3rd party apps running on our system which need updates and deployments to our client machines.

I have recently removed the local user account of the local machine so that the users cannot install, remove or change any settings on there pc's which is working great.

But, this has created many problems with regard to updates, installs to the clients via login scripts and so on.

If i recreate the local account on the local machine giving the user admin rights to his pc so that when the login scripts process it will have the rights to install, config or update. Will i still be able to not allow the user to install or change any settings?

Most of those settings come from our domain policy.  If i creat the local acount for that user on his/her pc with admin rights to that machine will it override the domain policy?

What can I do?

I dont want the user to be able to fiddle, change, remove or install anything onto there machines.

Another problem is, with there being no local account on the local machine certain apps will not run correctly unless i grant that user admin rights and in some cases.  I even tried giving them power user rights which will not work iether.

typically, the user which i dont want to fiddle around is the one who needs admin rights to his pc in order for his apps to work correctly.

  • 2
1 Solution
Why dont you create an Organizational Unit crate a group policy at the OU, add all the people that you dont want to let change/install any apps in and crate a group policy at the local computer. Like do not change/install apps software.
So doing that nobody in that new OU will be able to do what they want. You will be in charge. If you have conflicts with any more policies above the new one you just block inherritance.

I hope this will give you an idea.

ok,, your users dont need local accounts at all to install updates on these machines.  they do however need local administrative rights IE put them in the LOCAL administrator group of each workstation.  This is done by opening the local users and groups snap in (lusrmgr.msc) and adding their domain accounts to the local administrator group.    This way they are logging into the domain (and getting your domain GPOs) but still have rights to do updates.  THEY HAVE TO BE IN THE LOCAL ADMINISTRATOR GROUP TO DO UPDATES/INSTALLS. This topic has been discussed MANY times on this website and the end result is always the same:  if users need to do administrative tasks to their machines (such as doing updates) then they have to be in the local admin group.   The only local account any compuer needs that is a member of a domain is the local administrator account.  That way once the computer is removed from the domain, the local administrator will be able to log into it.
hitechautoAuthor Commented:
ATTENTION: "mikeleebrla"

As to your answer my question is:

Would i have to add the client username to the local machine admin group at each and every client machine or can I do this from the domain? If so, How?

Now with all clients having local admin rights to the local machine, they are now open for installing apps, utills and software anytime they like.  We have installed all necessary apps and software that they need, now we want to lock down so that they cannot install anything.  (How do I do this in the GPO and where?)  But still need the client to have admin rights to the local machine due to antivirus updates and installs that may be needed.

Would i have to do this in the Computer config or userconfig in the domain pol?

The problem is, applications come in diff, formats i.e (exe, bat,, com, zip, msi and so on) how do i block all that?? can I?
well you cant have it both ways,, either they are in the admin group are they aren't, which means that they can install apps or they can't.  If you read your last statment it says:

now we want to lock down so that they cannot install anything

then it says

But still need the client to have admin rights to the local machine due to antivirus updates and installs that may be needed

you can't have it both ways!!!!!

but to answer your question about adding the domain users to the local admin group...  there are 2 ways you can do it without having to go to each physical computer:

There are two ways you can do this.

1.  you dont have to phycially go around to every machine. you can connect to remote computers via MMC and access the local users and groups console of every  PC remotely.  so it could all be done from one compter while you were logged in with a domain admin account.  Of course this would still take a long time if you have alot of computers on your network.

2.  how to add domain groups to local admin group:


Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now