Solved

Give domain user admin rights on all local machines

Posted on 2010-09-09
5
694 Views
Last Modified: 2012-05-10
Hi,

I have a network with a server 2003 domain and a number of machines running win 7 pro. Is there any way I can give a domain user account administrative privileges on each local machine without having to actually set this up on each PC individually?

Thanks in advance
0
Comment
Question by:mark_D74
5 Comments
 
LVL 3

Expert Comment

by:Neurom
Comment Utility
You can do this using GPO or Script. has all described here:
http://support.microsoft.com/kb/555026

Hope this helps,
Regards

0
 
LVL 9

Expert Comment

by:rfportilla
Comment Utility
Not initially.  You should create "pc_admins" group on the domain and add that to the administrator group on each computer in the domain.  If you can connect to each computer using the computer management console, you can do each one remotely.  I guess a script could be written, but I don't know how to write it off the top of my head.  

Here is a good article that has more of the details:

http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/08/how-can-i-add-a-domain-user-to-a-local-administrators-group.aspx

goodluck
0
 
LVL 5

Expert Comment

by:swap_101982
Comment Utility
You can create a Group Policy and your domain users to restricted groups and you can add your domain users to Local Administrators Group of Systems.

Restricted Groups are a node within all GPOs. In this instance, I am only referring to GPOs that reside within Active Directory, not for the local GPO that exists on each computer. The Restricted Groups node exists under the Computer Configuration|Windows Settings|Security Settings node for any GPO in Active Directory.
You need to right click Restricted Groups and then Click on Add Group and add Domain users
Once you have to give command gpupdate /force so that the policy gets updated and you have to restart the system.


The Restricted Groups policy affects the computer account, not the user accounts. Therefore, you will need to target the GPOs where you configure Restricted Groups to organizational units (OUs) that contain computer accounts.

The other point that I want to make about Restricted Groups is that they are not configured by default. No new GPO has Restricted Groups configured initially. The two default GPOs, Default Domain Policy and Default Domain Controller Policy, don’t have any Restricted Groups configured by default either.

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Use Restricted Groups for your PCs. Create new GPO and link it to the proper OU. This article explains everything http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

DO not forget to add all default users like administrator, domain admins group :)
0
 
LVL 19

Accepted Solution

by:
deroode earned 500 total points
Comment Utility
The disadvantage of using a Restricted Groups GPO is that it overwrites your current Administrators Group settings. If for instance you have one domain user that is added to the local administrators group on his own computer (e.g. a developer who needs local admin access) the GPO will overwrite that.

We have created a startup script that is run by all computers that adds the Domain group "Local_admins" to the local administrators group:


net localgroup Administrators "domain\Local_admins" /add

Open in new window

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now