Active Directory - How To: Local Admin

Posted on 2005-05-09
Last Modified: 2010-03-18

Totally new to Active Directory..... Urgent (and possibly more than one question?) - so 500 points.

One person (other than me) requires full admin access to the domain controller machine - for everything APART from changing Active Directory related settings etc.

A couple of users require "real" Administration rights locally to their machine only.

Almost everyone requires local Adminstration rights to all Norton Anti Virus live update to run.

My question(s) are:
How do I allow Admin access to a user for all tasks except amending the Active Directory related "stuff"

How do I make someone an Administrator for their machine only? Preferably with the ability to manage this via Active Directory - rather than having to tinker with every machine locally.

Question by:chris000
    LVL 18

    Accepted Solution

    Ok.....I'll try to make this as simple as possible.

    Domain admins and local admins are COMPLETELY different and seperate.

    A domain admin has complete control of the domain (active directory) and of any domain controllers (any servers that have active directory installed on them).  So you and the other person who needs full domain access would be domain admins.

    Local admin rights are just that....they are local. So those users would be normal "domain users", but you would just add their domain user account into the local admin group on their local macine. Just as you would add a local account into the admin group or power user group.

    You can quite simply add everyone to the local admin group on each computer by adding the domain users group to the local admin group. You can do this globally via two methods. Although I CAUTION you to think seriously about why you are granting users local admin rights. Best practice is to NOT give your users local admin rights for security reasons among others.

    The first is to create a script and run it on startup, the script would contain the following line:

    net localgroup "Administrators" "domain\user" /ADD

    The second option is to use restricted groups. I personally perfer the first method because I think it is less invasive and less powerful, but many people perfer the restricted group method. If you use restricted groups, BE VERY CAREFUL.....ALL your local admin groups will be completely reset and all current users will be removed including the local admin account on each of your machines. Here are instructions:;en-us;320065
    LVL 18

    Expert Comment

    You shouldn't need local admin rights for Live Update to run. My users are restricted users and LiveUpdate runs correctly for them.

    Author Comment


    If I understand you correctly, if someone can administer the machine, they can amend the Active Directory settings? (Can another group like Server Operator be used instead of administrator? Person needs to be able to reboot, backup, tweek IIS (for SUS) and thats about it)

    In the ideal world I'd not add the general users to local admin...... But according to Symantec I need to do this:

    I'm not using Norton AntiVirus Corporate Edition - maybe I should.

    I'm curious - how do you get restricated user to run LiveUpdate -> I appreciate this is another question, so more points available if this one can be solved!

    Author Comment

    BTW - if relevent (should have said this first!)

    Domain Controller is WIN2003 standard
    Person(s) who need local admin are WIN2000 (you've answer this already - thanks)
    All other users run XP PRO SP2

    The XP users run either NAV2004 or NAV2005

    They only currently use local admin to allow LiveUpdate to run (as I understood it this was required, see above link)
    LVL 18

    Expert Comment

    Yes, I would highly suggest using symantec corp. edition...this is what I use and you can set it up to run live update automatically no matter who is logged in plus you can remotely control scans, etc if you set it up as managed.

    Author Comment

    One for the next quarter - splurged all the budget on Active Directory machine!

    Thanks for your rapid responses.
    LVL 18

    Expert Comment

    When a server is a domain controller then you don't have a local account database on that there are no local users on a domain controller like their are on workstations or non DC servers.

    You can try the server operators group, that should give them the rights they need for basic tasks. Here is some more info on domain groups:

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
    The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video discusses moving either the default database or any database to a new volume.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now