I need to create an AD group "Select Local Admins" in which I will place user accounts that will be able to admin their own machines.
Once created, I intend to deploy a GPO to all machines, that will delete any single accounts not in that group (Domain admins, Helpdesk groups will remain)
Whilst not 100% foolproof, the best solution i can think of is to add to "Select Admins group"
dedicated workstation hostname
The condition will be that if the user AND their workstation are listed in the group, they will be granted admin rights.
How do I achieve this?