I only want you to be a Local Admin! AHhhhhhhhh!!

Ok Guys,

The problem is I have a team of developers and I need them to be Administrators of their on machines but nothing more. They can install, they can utilise IIS but I dont want them to do anymore. I need NOT them access the domain controllers (fiddle with AD) or exchange servers (change settings). I would prefer it if there local admin privledges were roaming so any machine they used would grant them local admin rights for that session and once they logout the next user that logs in will have no admin rights on there machine. If this is not possible then admins rights on there personal PC is fine (using there domain username and password). At the moment they are part of the domain admins group. The network is native 2003 server.

Basically, the question has been asked so many times here but its not I dont get it. i'm worried about doing it.
The reason I'm worried is because of this (this was posted by someone about 3 years ago).


Comment from trywaredk
Date: 04/12/2003 04:26PM BST

PROTOFJ... "Log on locally at machine and add domain user(group) to local admins group"

It's not simple, it's a disaster.

PREMIERNC and PROTOFJ and everybody else....
You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.
And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation
If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain User Group from the Local Admin Group again!

Many Regards

Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Can someone give me simple step by step instructions to doing this safely?
Thanks guys!
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Netman66Connect With a Mentor Commented:
What is unclear?  

You're basically going to create an ou for the developers machines, and move those machines in there.
Create a security group with the developers in it.
Create a new GPO linked to the new OU.
Set Restricted Groups to add your new security group to the local administrators group to only the developer's machines.

There isn't much to it.

Ask specifically on the items you are not clear so I can try to clear this up.
NJComputerNetworksConnect With a Mentor Commented:
1) logon to the USERA's workstation a administrator
2) Go to MANAGE my computer
3) Expand the GROUPS folder - and double click ADMINISTRATORS
4) Add the USERA's account from the domain to the Administrators group on the workstation.
5) click OK

Have the user login...
dqnetAuthor Commented:
Doesnt the statement made 3 years ago contradict that?
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

The posted information (from 3 years ago) doesn't make sense to me...

"You have to grant a Domain User Group to the Local Admin Group"  Im not asking you to add the DOMAIN USER GROUP to the local administrators group...  Rather, just add the domain user to the local admins group.

This user will only have access to the local administrators group of the machine you perform this action on.  No other machines, will this user have local admin access...
dqnetAuthor Commented:
Thanks for all the info NJ.
But one small problem mate. Those machines can no longer access $ share.
My test box is constantly asking for a username and password.
Should I just put one with admin privledges and let them use that?
Or can i modify their username to be able to access $ on the servers.
dqnetAuthor Commented:
I mean, they should be able to access the drives on the other machines as they share code.
Do I have to create shares? Or is it possible to change something in their login name to enable them to use $ share.
essaydaveConnect With a Mentor Commented:
Well, if they're accessing $ shares (I assume you mean administrative shares such as admin$ and c$), then they need admin privileges on the machines they're accessing.  If there's a specific reason they need access to that share, whether they need a subfolder or something like that, identify the resource needed, and share that - and only that - resource.  Either that or add them as admins on the machine with the $ share you weant them to access.  

Maybe I've been doing it wrong the whole time, but what I've done is created an OU in AD.  In that OU, I've created security groups for each PC on the network, called LocalAdminPCNAME.  On PCNAME, I add that domain group to the Local Admins group.  As and when a user requires local admin rights, I add them to the LocalAdminPCNAME group in AD.  Need to access $ share on another PC?  No problem, jsut add the to another AD group.  

Ideally, sit down with the developers with a pen and pad.  Work out what machines each needs to have admin rights on.  Work out what folders on what other PCs they need access to.  Only add the users to the machines groups they need access to, and share the folders they need access to, and DON'T give them access to the administrative shares.  That way you have a ot better idea of what's getting done on your network.
Here is what to do:

1)  Create an OU for the Developers machines.  Put those workstation accounts in this OU.
2)  Create a Global Security Group and add the developers' accounts to this group.
3)  Create and link a new GPO to the OU you created for the developers' machines.
4)  Set the elements below:

Computer Config>Windows Settings>Security Settings>Restricted Groups
Right-click Restricted Groups and select Add Group
Either Browse to the new Security group you created or enter it manually (domain\group)
Select OK.
In the lower pane (this group is a member of) click Add.
Type in Administrators
Select OK.

Now, the new security group you created will be added to the local Administrators group on all PCs you have in this OU.  As long as the new OU is in the path of your other Group Policies then they will also still apply.  So if you need other GPOs to apply then the new OU you create should be a sub-OU of the OU the computers are already in.  **Note: the default Computers container is NOT an OU.  If your computers are there, then create a top level OU for the developer computers.

Let us know.
I agree with Netman, this would make sure that any Developers in the Security group will be "added" to the local admins group, and won't remove any existing administrators like Domain Admins, etc.

That's your best way to go...if you MUST give admin access.
dqnetAuthor Commented:
Hi Guys,

I’ll give your answers a shot today and see how it works.
Once done, I'll assign the points accordingly.

Thanks for all your help guys.

Just one thing Netman, could you explain in slightly more detail what I am supposed to do? Giving developers admin rights on their local machines only. Preferably roaming so they are local admin on ANY machine they log into. If this is not possible I guess the solution from NJComputerNetworks b adding them to the administrators group is the way to go. I read your solution but do I don’t understand it in its entirety.

Thanks pal.
dqnetAuthor Commented:
I'll get this in play by tonight or tommorow.
Thanks for your patience guys.
dqnetAuthor Commented:
I am extremely sorry for the delayed response.
Points assigned as I felt best.

Thanks guys.
All Courses

From novice to tech pro — start learning today.