Local admin rights in AD-environment with GPO

Posted on 2005-04-21
Last Modified: 2011-04-14

We are running a windows 2000/2003 environment with mostly windows xp clients.
All of our users are "domain admins" and as you already know, this is something that keeps you awake at night...  Now, I want to make them ordinary "domain users" but some of the users needs to have local admin right. Maybe all of the users to make windows update to work?
I have read some of the posted questions in this excellent forum but still i can't get it to work.
If it's possible, can i make the group "domain users" to have local admin rights? If yes, how do i do it? Can this be done in GPO? If its possible, i dont want to make the changes on each workstation.
I have checked almost all of the GPO-settings but i'm not sure where to start.

Question by:smvkuser
    LVL 57

    Expert Comment

    by:Pete Long
    1. Without the usuall song and dance remove them from the domain admins group (you know why - nuff said)

    2. use this

    3. sleep better :)
    LVL 57

    Accepted Solution

    still I wouldnt be happy having my users as local admins - but there you go.

    create a domain group called "LOCAL_admins" add that to the local admin group on each pc (using the above) then as you identify a "special user" drop him/her in the domainlocal_admins group and get then to reboot (rights from group membership need a logoff/lofon)

    Author Comment

    Hi and Thanks!

    Just wondering if there isn't any way to solve all this with a GPO?

    LVL 57

    Expert Comment

    by:Pete Long
    Not that Im aware of  - ThanQ


    Expert Comment

    This how to will walk you through using Restricted groups to put users in the local admin group on all PCs. It will also add them to the Remote Desktop user's group.
    The usefulness in this is keeping as many people out of the domain admin group as possible while allowing the techs to work.
    I see this in forums every once in a while but since I am revamping some policies with 2008R2 I thought I would take the time to write down the steps to do this handy little procedure.
    I have created these instructions for 2008R2 it should work with 2003 just fine but if you need more details on 2003 check my reference below.
    1.  Define Security Group
    First you need to define a security group in AD users and computers. In this example I am creating a security group called IT_Admins
    1. Log onto a Domain Controller
    2. Right click Users, New->Group->Security Call it IT_Admins
    3. Add the proper members. I will add myself, Optimus, and Zelda.
    2.  Create Group Policy.
    Next you need to create a group policy or use the default Domain Policy (not recommended).
    For this example I am creating a separate policy called "Local Administrators"
    1. Open Group Policy Management Console
    2. Right click your domain or OU.
    3. Click Create a GPO in this domain, and link it here.
    4. Call it "Local Administrators"
    5. You should see the policy in the tree now.
    3.  Edit the policy to contain the IT_Admins group
    Here you will add the IT_Admin group to the local administrators policy and put them in the groups you wish them to use.

    1. Right click "Local Administrators" Policy.
    2. Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    3. In the Right pane of Restricted Groups, Right click and hit "Add Group..."
    4. Type IT_Admins and hit 'OK"
    5. Click Add under "This group is a member of:"
    6. Add the "Administrators" Group.
    7. Add "Remote Desktop Users"
    8 OK

    *NOTE: When adding groups, you can add whatever you want, the GPO will match the group on the PC, if you type "Princess" it will match a local group called princess if it exists and put "IT_Admins" in that group.
    **NOTE: If you chamge "Members of this group:" it will overwrite the accounts you set up in step 1.
    4.  Test
    Wait 15 minutes, or log on to a PC and type gpupdate /force and check the local administrators group. You should see IT_Admins in the group now.
    Optimus and Zelda can now access all PCs remotely as a local administrator.

    You can add a lot of different groups to power users or different areas on PCs. This allows you to dynamically change who is a member of what group on a PC/Laptop. It is up to you to craft the policy to fit your domain needs.

    Found this on a Spiceworks site and also used it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now