Give domain user admin rights on all local machines

Hi,

I have a network with a server 2003 domain and a number of machines running win 7 pro. Is there any way I can give a domain user account administrative privileges on each local machine without having to actually set this up on each PC individually?

Thanks in advance
mark_D74Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
deroodeConnect With a Mentor Systems AdministratorCommented:
The disadvantage of using a Restricted Groups GPO is that it overwrites your current Administrators Group settings. If for instance you have one domain user that is added to the local administrators group on his own computer (e.g. a developer who needs local admin access) the GPO will overwrite that.

We have created a startup script that is run by all computers that adds the Domain group "Local_admins" to the local administrators group:


net localgroup Administrators "domain\Local_admins" /add

Open in new window

0
 
NeuromCommented:
You can do this using GPO or Script. has all described here:
http://support.microsoft.com/kb/555026

Hope this helps,
Regards

0
 
rfportillaCommented:
Not initially.  You should create "pc_admins" group on the domain and add that to the administrator group on each computer in the domain.  If you can connect to each computer using the computer management console, you can do each one remotely.  I guess a script could be written, but I don't know how to write it off the top of my head.  

Here is a good article that has more of the details:

http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/08/how-can-i-add-a-domain-user-to-a-local-administrators-group.aspx

goodluck
0
 
Swapnil PrajapatiSr. System AdministratorCommented:
You can create a Group Policy and your domain users to restricted groups and you can add your domain users to Local Administrators Group of Systems.

Restricted Groups are a node within all GPOs. In this instance, I am only referring to GPOs that reside within Active Directory, not for the local GPO that exists on each computer. The Restricted Groups node exists under the Computer Configuration|Windows Settings|Security Settings node for any GPO in Active Directory.
You need to right click Restricted Groups and then Click on Add Group and add Domain users
Once you have to give command gpupdate /force so that the policy gets updated and you have to restart the system.


The Restricted Groups policy affects the computer account, not the user accounts. Therefore, you will need to target the GPOs where you configure Restricted Groups to organizational units (OUs) that contain computer accounts.

The other point that I want to make about Restricted Groups is that they are not configured by default. No new GPO has Restricted Groups configured initially. The two default GPOs, Default Domain Policy and Default Domain Controller Policy, don’t have any Restricted Groups configured by default either.

0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Use Restricted Groups for your PCs. Create new GPO and link it to the proper OU. This article explains everything http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

DO not forget to add all default users like administrator, domain admins group :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.