[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Local admin rights in AD-environment with GPO

Posted on 2005-04-21
Medium Priority
Last Modified: 2011-04-14

We are running a windows 2000/2003 environment with mostly windows xp clients.
All of our users are "domain admins" and as you already know, this is something that keeps you awake at night...  Now, I want to make them ordinary "domain users" but some of the users needs to have local admin right. Maybe all of the users to make windows update to work?
I have read some of the posted questions in this excellent forum but still i can't get it to work.
If it's possible, can i make the group "domain users" to have local admin rights? If yes, how do i do it? Can this be done in GPO? If its possible, i dont want to make the changes on each workstation.
I have checked almost all of the GPO-settings but i'm not sure where to start.

Question by:smvkuser
  • 3
LVL 57

Expert Comment

by:Pete Long
ID: 13832221
1. Without the usuall song and dance remove them from the domain admins group (you know why - nuff said)

2. use this http://www.petri.co.il/a2a.htm

3. sleep better :)
LVL 57

Accepted Solution

Pete Long earned 500 total points
ID: 13832237
still I wouldnt be happy having my users as local admins - but there you go.

create a domain group called "LOCAL_admins" add that to the local admin group on each pc (using the above) then as you identify a "special user" drop him/her in the domainlocal_admins group and get then to reboot (rights from group membership need a logoff/lofon)

Author Comment

ID: 13834115
Hi and Thanks!

Just wondering if there isn't any way to solve all this with a GPO?

LVL 57

Expert Comment

by:Pete Long
ID: 13840692
Not that Im aware of  - ThanQ


Expert Comment

ID: 35396390
This how to will walk you through using Restricted groups to put users in the local admin group on all PCs. It will also add them to the Remote Desktop user's group.
The usefulness in this is keeping as many people out of the domain admin group as possible while allowing the techs to work.
I see this in forums every once in a while but since I am revamping some policies with 2008R2 I thought I would take the time to write down the steps to do this handy little procedure.
I have created these instructions for 2008R2 it should work with 2003 just fine but if you need more details on 2003 check my reference below.
1.  Define Security Group
First you need to define a security group in AD users and computers. In this example I am creating a security group called IT_Admins
1. Log onto a Domain Controller
2. Right click Users, New->Group->Security Call it IT_Admins
3. Add the proper members. I will add myself, Optimus, and Zelda.
2.  Create Group Policy.
Next you need to create a group policy or use the default Domain Policy (not recommended).
For this example I am creating a separate policy called "Local Administrators"
1. Open Group Policy Management Console
2. Right click your domain or OU.
3. Click Create a GPO in this domain, and link it here.
4. Call it "Local Administrators"
5. You should see the policy in the tree now.
3.  Edit the policy to contain the IT_Admins group
Here you will add the IT_Admin group to the local administrators policy and put them in the groups you wish them to use.

1. Right click "Local Administrators" Policy.
2. Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
3. In the Right pane of Restricted Groups, Right click and hit "Add Group..."
4. Type IT_Admins and hit 'OK"
5. Click Add under "This group is a member of:"
6. Add the "Administrators" Group.
7. Add "Remote Desktop Users"
8 OK

*NOTE: When adding groups, you can add whatever you want, the GPO will match the group on the PC, if you type "Princess" it will match a local group called princess if it exists and put "IT_Admins" in that group.
**NOTE: If you chamge "Members of this group:" it will overwrite the accounts you set up in step 1.
4.  Test
Wait 15 minutes, or log on to a PC and type gpupdate /force and check the local administrators group. You should see IT_Admins in the group now.
Optimus and Zelda can now access all PCs remotely as a local administrator.

You can add a lot of different groups to power users or different areas on PCs. This allows you to dynamically change who is a member of what group on a PC/Laptop. It is up to you to craft the policy to fit your domain needs.

Found this on a Spiceworks site and also used it.

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Integration Management Part 2

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question