Active Directory - How To: Local Admin

Posted on 2005-05-09
Medium Priority
Last Modified: 2010-03-18

Totally new to Active Directory..... Urgent (and possibly more than one question?) - so 500 points.

One person (other than me) requires full admin access to the domain controller machine - for everything APART from changing Active Directory related settings etc.

A couple of users require "real" Administration rights locally to their machine only.

Almost everyone requires local Adminstration rights to all Norton Anti Virus live update to run.

My question(s) are:
How do I allow Admin access to a user for all tasks except amending the Active Directory related "stuff"

How do I make someone an Administrator for their machine only? Preferably with the ability to manage this via Active Directory - rather than having to tinker with every machine locally.

Question by:chris000
  • 4
  • 3
LVL 18

Accepted Solution

luv2smile earned 2000 total points
ID: 13961993
Ok.....I'll try to make this as simple as possible.

Domain admins and local admins are COMPLETELY different and seperate.

A domain admin has complete control of the domain (active directory) and of any domain controllers (any servers that have active directory installed on them).  So you and the other person who needs full domain access would be domain admins.

Local admin rights are just that....they are local. So those users would be normal "domain users", but you would just add their domain user account into the local admin group on their local macine. Just as you would add a local account into the admin group or power user group.

You can quite simply add everyone to the local admin group on each computer by adding the domain users group to the local admin group. You can do this globally via two methods. Although I CAUTION you to think seriously about why you are granting users local admin rights. Best practice is to NOT give your users local admin rights for security reasons among others.

The first is to create a script and run it on startup, the script would contain the following line:

net localgroup "Administrators" "domain\user" /ADD

The second option is to use restricted groups. I personally perfer the first method because I think it is less invasive and less powerful, but many people perfer the restricted group method. If you use restricted groups, BE VERY CAREFUL.....ALL your local admin groups will be completely reset and all current users will be removed including the local admin account on each of your machines. Here are instructions:


LVL 18

Expert Comment

ID: 13962003
You shouldn't need local admin rights for Live Update to run. My users are restricted users and LiveUpdate runs correctly for them.

Author Comment

ID: 13962168

If I understand you correctly, if someone can administer the machine, they can amend the Active Directory settings? (Can another group like Server Operator be used instead of administrator? Person needs to be able to reboot, backup, tweek IIS (for SUS) and thats about it)

In the ideal world I'd not add the general users to local admin...... But according to Symantec I need to do this:

I'm not using Norton AntiVirus Corporate Edition - maybe I should.

I'm curious - how do you get restricated user to run LiveUpdate -> I appreciate this is another question, so more points available if this one can be solved!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 13962243
BTW - if relevent (should have said this first!)

Domain Controller is WIN2003 standard
Person(s) who need local admin are WIN2000 (you've answer this already - thanks)
All other users run XP PRO SP2

The XP users run either NAV2004 or NAV2005

They only currently use local admin to allow LiveUpdate to run (as I understood it this was required, see above link)
LVL 18

Expert Comment

ID: 13962432
Yes, I would highly suggest using symantec corp. edition...this is what I use and you can set it up to run live update automatically no matter who is logged in plus you can remotely control scans, etc if you set it up as managed.

Author Comment

ID: 13962468
One for the next quarter - splurged all the budget on Active Directory machine!

Thanks for your rapid responses.
LVL 18

Expert Comment

ID: 13962608
When a server is a domain controller then you don't have a local account database on that system......so there are no local users on a domain controller like their are on workstations or non DC servers.

You can try the server operators group, that should give them the rights they need for basic tasks. Here is some more info on domain groups:


Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question