We help IT Professionals succeed at work.

How do you assign network users administrative rights on some computers but not on others?

srsdtech asked
Medium Priority
Last Modified: 2010-04-18
This seems like an easy thing to do, but I can't figure out how.  I manage the network for a school, and would like to give staff members administrative rights on their computer and the computers in their classroom but not on the rest of the network.  The main trouble they run into is being unable to install programs.  They can get around this by logging onto the computer rather than the network, but the problem is that some of them have decided that logging onto the computer is easier and now do that all the time.  I want them to log onto the network so their logon script executes and so that server programs and services can more easily be deployed.

We have a Windows 2003 Native domain.
Watch Question



In the ideal world, a network administrator deals with ALL software installs.
People install stupid things because they don't know any better.
Barring a reason for the staff to have a local logon for a system, they should be vigorously denied that right.


Back to reality. If they can log into the local machine and prefer to do so, there's little you can do so long as they retain that logon information.

You'll need a multi-pronged approach:

1: identify the computers each staff member needs software installation right
2: on THOSE COMPUTERS ONLY add the staff member to the local Administrator's group

Personally, I think you're going to run into trouble by allowing the (relatively unwashed) masses do software installs at their own whims.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Kevin HaysIT Analyst

You can do it by machine if you wish or you can create a batch script the the following info in it.

net localgroup administrators domain\username /add

This command will just have them in the administrators group on the local machine and nothing else.  I would also have them as "users" only if you can for the network.  The problem with logging into the computer is they probably won't have anything, no drives mapped, etc....

You could also look into restricted groups if you want to control who's got admin access as well.

Kevin HaysIT Analyst

Also another note :)

The command I used just let's them be in the Local Admin group on the local PC only.  None of my users have accounts that are local to their machines and none of them are members of the admin group locally to their machine either.  Like MidnightOne suggested, you cannot have your users installing things or even logging on locally to the system.  It just creates a nightmare really.

I would never give users direct admin privileges if I didn't have to.  I've scripted most of my application installs to run with AutoIT (download: http://www.autoitscript.com/autoit3/) with admin priveleges.  You can do this by creating a m3u file (AutoIT script file) with the following syntax:

Try using AutoIT (Download here:)

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm.  Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"

RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)

This allows you to specify the Username, Domain name, password, executable and path that installs run under.  Compile this into an exe file (AutoIT can do this with encryption) and place it on a share that users can access.  This way you keep users out of the local admin group and at the same time they can install approved applications.

I hope this helps.  Let me know if you have any questions.
Creating desktop administrators is fairly common practice.  In your situation I would do the following.

1.  Create OUs for each classroom
2.  Add the computers in each classroom to the appropriate OU
3.  Create desktop administrator group for each classroom
4.  Add the appropriate desktop administrator group to the Local Administrators group on each computer in the classroom
5.  Add the instructor's domain account to the appropriate desktop administrator group for their classroom.

Since this is a school setting and you will have students testing their boundaries you may also want to look at restricting
membership in the Local Administrators group.  See the following for more info:

You may also find that the instructor needs to be able have some administrative control of AD accounts in their classrooms.  See the following post on delegating control for more info:

Good luck!


Wow!  I ran off to teach a couple classes and you guys wrote a novel!  Thanks!  I'm still digesting the information, but I can see you have given me some great stuff.

In the meantime, I will make a few comments.  Regarding your observations about the wisdom of giving administrative rights to users--I'm with you on every point.  I know it would create a huge headache.  I want everyone to log on to the network all the time, and I want the local administrative password to be known only by me.  The only reason for that account is for me to be able to get into the computer if it gets kicked off the network.

This brings up the issue of laptops.  Some staff have laptops which they use as their class computer.  They log onto the laptop (local account) here at school so that when they take the laptop home, they get the same personalized settings.  I would like them to log onto the network instead, but do not know how to configure this so that when they get somewhere else those settings are preserved.

I haven’t added anything to this for 45 minutes (got called out) so I will just post it before the thoughts get cold.

User laptops are a problem all their own, but barrings anything from on high ( read: school administrations and negotiated with the teacher's union ), there's going to be nothing you can do about those.

I'd recommend changing the local admin password on the school-controlled systems immediately and killing off all other local accounts on those systems anyway for good measure.

A word on the kids - they WILL find a way to hack the network. It's your skills versus ALL of theirs. Don't hand them tools like a local admin account that's left unattended. ;-)



I looked into all of the solutions offered, and though all sound great, there are only two I can see myself using much.  I will split points between those two contributors.  


Good Luck! and thanks.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.