Log in as loacl admin on active directory 2003

Posted on 2010-01-05
Last Modified: 2012-05-08
Hi I have inherited a small network with server 2003 and ad over vista local machines.
At the moment to update install software etc on local machine , the user has to be logged in as the domain admin. I want to know how user can logon locally and off line with full local admin rights.
Question by:LeighJor
    LVL 2

    Accepted Solution

    You should create a group in Active Directory, call it something like Admin_Workstations

    Then use group policy, to apply settings to every vista machine. The setting that you want to apply is the Local administrators group.

    Open the Group Policy Management Console.

    Create a new Policy and call it "Worsktation Admins"

    Edit the policy, navigate to Computer Settings, Windows Settings, Security Settings, Restricted Groups

    You want to add a new group called "Administrators"

    Then put into this group:
    MYDOMAIN\Domain Admins

    Basically this will modify the local administrators group on the workstations, giving you control from a central point.

    Add the desired users to the new Active Directory group.

    Next time they logon they will have admin rights over the workstation, but no admin rights on servers or the Active Directory.
    LVL 6

    Assisted Solution

    1. User can have local admintrator password (not domain)
    2. There can be another local user with administrative rights
    3. Check Administrators group of local computer - there migth be domain users included

    User can logon to his computer when he is offline, passwords are cached for ~30days.
    LVL 47

    Assisted Solution


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now