• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

Log in as loacl admin on active directory 2003

Hi I have inherited a small network with server 2003 and ad over vista local machines.
At the moment to update install software etc on local machine , the user has to be logged in as the domain admin. I want to know how user can logon locally and off line with full local admin rights.
3 Solutions
You should create a group in Active Directory, call it something like Admin_Workstations

Then use group policy, to apply settings to every vista machine. The setting that you want to apply is the Local administrators group.

Open the Group Policy Management Console.

Create a new Policy and call it "Worsktation Admins"

Edit the policy, navigate to Computer Settings, Windows Settings, Security Settings, Restricted Groups

You want to add a new group called "Administrators"

Then put into this group:
MYDOMAIN\Domain Admins

Basically this will modify the local administrators group on the workstations, giving you control from a central point.

Add the desired users to the new Active Directory group.

Next time they logon they will have admin rights over the workstation, but no admin rights on servers or the Active Directory.
1. User can have local admintrator password (not domain)
2. There can be another local user with administrative rights
3. Check Administrators group of local computer - there migth be domain users included

User can logon to his computer when he is offline, passwords are cached for ~30days.
Donald StewartNetwork AdministratorCommented:

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now