Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Give domain user admin rights on all local machines

Posted on 2010-09-09
5
Medium Priority
?
705 Views
Last Modified: 2012-05-10
Hi,

I have a network with a server 2003 domain and a number of machines running win 7 pro. Is there any way I can give a domain user account administrative privileges on each local machine without having to actually set this up on each PC individually?

Thanks in advance
0
Comment
Question by:mark_D74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:Neurom
ID: 33635152
You can do this using GPO or Script. has all described here:
http://support.microsoft.com/kb/555026

Hope this helps,
Regards

0
 
LVL 9

Expert Comment

by:rfportilla
ID: 33635202
Not initially.  You should create "pc_admins" group on the domain and add that to the administrator group on each computer in the domain.  If you can connect to each computer using the computer management console, you can do each one remotely.  I guess a script could be written, but I don't know how to write it off the top of my head.  

Here is a good article that has more of the details:

http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/08/how-can-i-add-a-domain-user-to-a-local-administrators-group.aspx

goodluck
0
 
LVL 5

Expert Comment

by:Swapnil Prajapati
ID: 33635223
You can create a Group Policy and your domain users to restricted groups and you can add your domain users to Local Administrators Group of Systems.

Restricted Groups are a node within all GPOs. In this instance, I am only referring to GPOs that reside within Active Directory, not for the local GPO that exists on each computer. The Restricted Groups node exists under the Computer Configuration|Windows Settings|Security Settings node for any GPO in Active Directory.
You need to right click Restricted Groups and then Click on Add Group and add Domain users
Once you have to give command gpupdate /force so that the policy gets updated and you have to restart the system.


The Restricted Groups policy affects the computer account, not the user accounts. Therefore, you will need to target the GPOs where you configure Restricted Groups to organizational units (OUs) that contain computer accounts.

The other point that I want to make about Restricted Groups is that they are not configured by default. No new GPO has Restricted Groups configured initially. The two default GPOs, Default Domain Policy and Default Domain Controller Policy, don’t have any Restricted Groups configured by default either.

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33635240
Use Restricted Groups for your PCs. Create new GPO and link it to the proper OU. This article explains everything http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

DO not forget to add all default users like administrator, domain admins group :)
0
 
LVL 19

Accepted Solution

by:
deroode earned 2000 total points
ID: 33644371
The disadvantage of using a Restricted Groups GPO is that it overwrites your current Administrators Group settings. If for instance you have one domain user that is added to the local administrators group on his own computer (e.g. a developer who needs local admin access) the GPO will overwrite that.

We have created a startup script that is run by all computers that adds the Domain group "Local_admins" to the local administrators group:


net localgroup Administrators "domain\Local_admins" /add

Open in new window

0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question