• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 320
  • Last Modified:

Active Directory - How To: Local Admin


Totally new to Active Directory..... Urgent (and possibly more than one question?) - so 500 points.

One person (other than me) requires full admin access to the domain controller machine - for everything APART from changing Active Directory related settings etc.

A couple of users require "real" Administration rights locally to their machine only.

Almost everyone requires local Adminstration rights to all Norton Anti Virus live update to run.

My question(s) are:
How do I allow Admin access to a user for all tasks except amending the Active Directory related "stuff"

How do I make someone an Administrator for their machine only? Preferably with the ability to manage this via Active Directory - rather than having to tinker with every machine locally.

  • 4
  • 3
1 Solution
Ok.....I'll try to make this as simple as possible.

Domain admins and local admins are COMPLETELY different and seperate.

A domain admin has complete control of the domain (active directory) and of any domain controllers (any servers that have active directory installed on them).  So you and the other person who needs full domain access would be domain admins.

Local admin rights are just that....they are local. So those users would be normal "domain users", but you would just add their domain user account into the local admin group on their local macine. Just as you would add a local account into the admin group or power user group.

You can quite simply add everyone to the local admin group on each computer by adding the domain users group to the local admin group. You can do this globally via two methods. Although I CAUTION you to think seriously about why you are granting users local admin rights. Best practice is to NOT give your users local admin rights for security reasons among others.

The first is to create a script and run it on startup, the script would contain the following line:

net localgroup "Administrators" "domain\user" /ADD

The second option is to use restricted groups. I personally perfer the first method because I think it is less invasive and less powerful, but many people perfer the restricted group method. If you use restricted groups, BE VERY CAREFUL.....ALL your local admin groups will be completely reset and all current users will be removed including the local admin account on each of your machines. Here are instructions:


You shouldn't need local admin rights for Live Update to run. My users are restricted users and LiveUpdate runs correctly for them.
chris000Author Commented:

If I understand you correctly, if someone can administer the machine, they can amend the Active Directory settings? (Can another group like Server Operator be used instead of administrator? Person needs to be able to reboot, backup, tweek IIS (for SUS) and thats about it)

In the ideal world I'd not add the general users to local admin...... But according to Symantec I need to do this:

I'm not using Norton AntiVirus Corporate Edition - maybe I should.

I'm curious - how do you get restricated user to run LiveUpdate -> I appreciate this is another question, so more points available if this one can be solved!
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

chris000Author Commented:
BTW - if relevent (should have said this first!)

Domain Controller is WIN2003 standard
Person(s) who need local admin are WIN2000 (you've answer this already - thanks)
All other users run XP PRO SP2

The XP users run either NAV2004 or NAV2005

They only currently use local admin to allow LiveUpdate to run (as I understood it this was required, see above link)
Yes, I would highly suggest using symantec corp. edition...this is what I use and you can set it up to run live update automatically no matter who is logged in plus you can remotely control scans, etc if you set it up as managed.
chris000Author Commented:
One for the next quarter - splurged all the budget on Active Directory machine!

Thanks for your rapid responses.
When a server is a domain controller then you don't have a local account database on that system......so there are no local users on a domain controller like their are on workstations or non DC servers.

You can try the server operators group, that should give them the rights they need for basic tasks. Here is some more info on domain groups:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now