I only want you to be a Local Admin! AHhhhhhhhh!!

Posted on 2006-05-05
Last Modified: 2010-04-18
Ok Guys,

The problem is I have a team of developers and I need them to be Administrators of their on machines but nothing more. They can install, they can utilise IIS but I dont want them to do anymore. I need NOT them access the domain controllers (fiddle with AD) or exchange servers (change settings). I would prefer it if there local admin privledges were roaming so any machine they used would grant them local admin rights for that session and once they logout the next user that logs in will have no admin rights on there machine. If this is not possible then admins rights on there personal PC is fine (using there domain username and password). At the moment they are part of the domain admins group. The network is native 2003 server.

Basically, the question has been asked so many times here but its not I dont get it. i'm worried about doing it.
The reason I'm worried is because of this (this was posted by someone about 3 years ago).


Comment from trywaredk
Date: 04/12/2003 04:26PM BST

PROTOFJ... "Log on locally at machine and add domain user(group) to local admins group"

It's not simple, it's a disaster.

PREMIERNC and PROTOFJ and everybody else....
You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.
And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation
If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain User Group from the Local Admin Group again!

Many Regards

Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Can someone give me simple step by step instructions to doing this safely?
Thanks guys!
Question by:dqnet
    LVL 33

    Assisted Solution

    1) logon to the USERA's workstation a administrator
    2) Go to MANAGE my computer
    3) Expand the GROUPS folder - and double click ADMINISTRATORS
    4) Add the USERA's account from the domain to the Administrators group on the workstation.
    5) click OK

    Have the user login...

    Author Comment

    Doesnt the statement made 3 years ago contradict that?
    LVL 33

    Expert Comment

    The posted information (from 3 years ago) doesn't make sense to me...

    "You have to grant a Domain User Group to the Local Admin Group"  Im not asking you to add the DOMAIN USER GROUP to the local administrators group...  Rather, just add the domain user to the local admins group.

    This user will only have access to the local administrators group of the machine you perform this action on.  No other machines, will this user have local admin access...

    Author Comment

    Thanks for all the info NJ.
    But one small problem mate. Those machines can no longer access $ share.
    My test box is constantly asking for a username and password.
    Should I just put one with admin privledges and let them use that?
    Or can i modify their username to be able to access $ on the servers.

    Author Comment

    I mean, they should be able to access the drives on the other machines as they share code.
    Do I have to create shares? Or is it possible to change something in their login name to enable them to use $ share.
    LVL 6

    Assisted Solution

    Well, if they're accessing $ shares (I assume you mean administrative shares such as admin$ and c$), then they need admin privileges on the machines they're accessing.  If there's a specific reason they need access to that share, whether they need a subfolder or something like that, identify the resource needed, and share that - and only that - resource.  Either that or add them as admins on the machine with the $ share you weant them to access.  

    Maybe I've been doing it wrong the whole time, but what I've done is created an OU in AD.  In that OU, I've created security groups for each PC on the network, called LocalAdminPCNAME.  On PCNAME, I add that domain group to the Local Admins group.  As and when a user requires local admin rights, I add them to the LocalAdminPCNAME group in AD.  Need to access $ share on another PC?  No problem, jsut add the to another AD group.  

    Ideally, sit down with the developers with a pen and pad.  Work out what machines each needs to have admin rights on.  Work out what folders on what other PCs they need access to.  Only add the users to the machines groups they need access to, and share the folders they need access to, and DON'T give them access to the administrative shares.  That way you have a ot better idea of what's getting done on your network.
    LVL 51

    Expert Comment

    Here is what to do:

    1)  Create an OU for the Developers machines.  Put those workstation accounts in this OU.
    2)  Create a Global Security Group and add the developers' accounts to this group.
    3)  Create and link a new GPO to the OU you created for the developers' machines.
    4)  Set the elements below:

    Computer Config>Windows Settings>Security Settings>Restricted Groups
    Right-click Restricted Groups and select Add Group
    Either Browse to the new Security group you created or enter it manually (domain\group)
    Select OK.
    In the lower pane (this group is a member of) click Add.
    Type in Administrators
    Select OK.

    Now, the new security group you created will be added to the local Administrators group on all PCs you have in this OU.  As long as the new OU is in the path of your other Group Policies then they will also still apply.  So if you need other GPOs to apply then the new OU you create should be a sub-OU of the OU the computers are already in.  **Note: the default Computers container is NOT an OU.  If your computers are there, then create a top level OU for the developer computers.

    Let us know.
    LVL 23

    Expert Comment

    I agree with Netman, this would make sure that any Developers in the Security group will be "added" to the local admins group, and won't remove any existing administrators like Domain Admins, etc.

    That's your best way to go...if you MUST give admin access.

    Author Comment

    Hi Guys,

    I’ll give your answers a shot today and see how it works.
    Once done, I'll assign the points accordingly.

    Thanks for all your help guys.

    Just one thing Netman, could you explain in slightly more detail what I am supposed to do? Giving developers admin rights on their local machines only. Preferably roaming so they are local admin on ANY machine they log into. If this is not possible I guess the solution from NJComputerNetworks b adding them to the administrators group is the way to go. I read your solution but do I don’t understand it in its entirety.

    Thanks pal.
    LVL 51

    Accepted Solution

    What is unclear?  

    You're basically going to create an ou for the developers machines, and move those machines in there.
    Create a security group with the developers in it.
    Create a new GPO linked to the new OU.
    Set Restricted Groups to add your new security group to the local administrators group to only the developer's machines.

    There isn't much to it.

    Ask specifically on the items you are not clear so I can try to clear this up.

    Author Comment

    I'll get this in play by tonight or tommorow.
    Thanks for your patience guys.

    Author Comment

    I am extremely sorry for the delayed response.
    Points assigned as I felt best.

    Thanks guys.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now