Create GPO to automatically set new users as local admin on client machine

I would like for my new users to automatically be administrators on their client machine.  I've been unsuccessful in creating that GPO.  I don't know where to start.  Could someone give me a step by step on this one?  Click here, type there, click this....etc.  

This is the only domain controller.  It's a small office with 4 users that plans on expanding and I don't want to have to individually assign those local rights each time I add a user.  There must be a way!  LOL

Thanks!
Rexx
rexxnetAsked:
Who is Participating?
 
AnthonyHamonConnect With a Mentor Commented:
It is not a good security practice to give users local administrator access on their machines, however, you may have good reason to do this (sermon over!)

Do you want the users to be local administrators on their own client machine only or on all client machines?  For the first scenario, there is no simple way to achieve this with Group Policy, for the second, however, the process is very simple.

(Make sure you understand the implications of these changes before applying them to the production environment)

Step 1
Ensure that all client workstations are in their own OU (with no other servers or workstations) and that there is a Global security group that contains the client workstation users.

Step 2
Create a new GPO linked to the client computers OU (or if you have an existing GPO for these client computers you can edit that one).  Make sure that the GPO will ONLY apply to the client computers.

Step 3
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Step 4
Right click on Restricted Groups and select Add Group.  Add a group called Administrators

Step 6
Edit the group, and, in the 'Members of this group' section, add the Global Security group that contains the client computer users.

Step 7
Click OK to close the 'Administrators Properties' window and close GPME.

All users in the Global Security group that contains the client computer users will be local administrators of the client computers.

I hope this helps.
0
 
Mike KlineCommented:
There has always been restricted groups using group policy.  Since you are on 2008 you can also use group policy preferences to do this.   Alan has a very good blog entry   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Let me know if that makes sense

Thansk

Mike
0
 
rexxnetAuthor Commented:
Mike:

This goes much further than I want to go with Individual computer names.  I just simple want to make the new user an administrator on any computer they sign in to.  This is a small organization and the article, thorough as it is, is asking to add individual computer names.  If I wind up having 50 computers, I don't want to add each computer to this list.  I want it to be automatic.  Isn't there a simpler solution?

Rexx
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
rexxnetAuthor Commented:
Anthony:

The main reason I want to do this is to allow the users to be able to add hardware when necessary and install software as needed.  I will not be onsite all of the time and I don't want them to have to sign off and sign back on as another user with local admin rights to perform these tasks.  

This is my first server setup.  So, I know enough to be VERY dangerous.  That's why I'm asking for help so it is not a complete failure.  LOL.

I tried to install a simple Flash update and I didn't have rights as the user.  Perfectly fine when I signed in with my credentials.  Same went with the printer/copier.

See where I'm coming from?  Does that help you help me some?

Thanks to you both for your patience in helping me learn and become their network guy.

Rexx
0
 
AnthonyHamonConnect With a Mentor Commented:
Thanks Rexx,

The solution I provided achieves your requirement.  You just need to ensure that every user is added to the global security group when created and that every client computer is in the client computers OU.

Kind Regards,

Anthony
0
 
Vaseem MohammedCommented:
to make things much simpler add "Authenticated Users" group to Restricted Groups GPO. As any user u create will be member of authenticated users group.
0
 
Kevin HaysConnect With a Mentor IT AnalystCommented:
You can also create a startup script in the GPO.  Something like this.

net localgroup administrators "domain\domain users" /add

Save it as a filename.bat

Place that file in the startup script on the gpo that is linked to your computers.  Personally I would do restricted groups and add the users in there.  LIke the others have said I would create new OU's and design it logicly for group policy processing, but since you are new I would be afraid of you adding this to the default domain policy.  

Kevin
0
 
connectexConnect With a Mentor Commented:
I've noted this on another post. I also don't recommend giving local administrator rights to users. But if you must. The proper way to do this is via Windows SBS Console. Click Users & Groups, double click on a user from the list. Select computers on the left side. Highlight the computer name. Select the desired access level from the drop down. Note the it says the changes will be delivered via group policy. I know it's not the simplest or quickest method. But it's how the SBS team designed it to work. And this way you don't have to worry about it being stepped on by another GPO.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.