[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

How to assign local admin rtights but not allow certain changes to be made

Hello Experts,

 I need to assign certain users on our 2003 domain to have local admin rights, but not to be able to change or disable the domain Local Administrator account or change or disable any of the domain or network settings.

I kind of need this in a hurry so if anyone can help I would greatly appreciate it.
1 Solution
"Power Users" rather than "Local Administrator"?
You can make them local admins and then lock everything else down with Group Policies. Are you familiar with them? If you I can probably give you a few links to get you started.
Toni UranjekConsultant/TrainerCommented:
Hi tcmadmin,

Once user is member of local Administrators group you can not restrict his/her account from having full access. The question is which user rights exactly do you need or, what exactly are you trying to achieve?


Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

tcmadminAuthor Commented:
The users should be able to be able to modify most settings, but not take full control of the machine. Download software, make changes to most settings, I would like to keep them out of local policy and computer managment, and to not let them make network changes. I am not not real familiar with the GP settings on that stuff.

Thanks for helping out in advance.
Toni UranjekConsultant/TrainerCommented:
You will have to be very specific. If you mean by "download software" download and install programs, users have to be in local Administrators group and once they are you can not prevent them from doing "anything". Policies will not help, local admin can easily bypass any policy setting.
tcmadminAuthor Commented:
Users mainly need to install software and any changes that would be related, That is a broad spectrum but unfortunatly is where I am at.

Toni UranjekConsultant/TrainerCommented:
I will repeat, unfortunately, there is no solution for your problem. Only members of local Administrators group can install software and you can not impose any restrictions to members of local Administrators group.
tcmadminAuthor Commented:

 thanks for the answer, I was hoping there was some other way to allow the users to have most control features, but still be able to control certain variables.

thansk again,


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now