Adding AD users with Local Administrator Rights

Posted on 2012-04-08
Medium Priority
Last Modified: 2012-05-08
Hi Windows Experts,

Can someone provide me the steps on how to assign or provide AD users with Local Admin Rights only? I'm using Windows 2008

Thanks in Advance
Question by:SandMan

Accepted Solution

big_daddy0690 earned 750 total points
ID: 37821991
LVL 21

Expert Comment

ID: 37822011
You can also try this:

net localgroup Administrators your_ad_account /add

Author Comment

ID: 37822032
Thanks big_daddy0690, Is this applicable to 2008? I tried to follow it, but it seems this is for 2003.

Hi motnahp00, where do I execute this? on the AD Server or on the Workstation that I want the AD user to have access rights?
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

LVL 21

Expert Comment

ID: 37822038
You can execute this from a command line on your applicable workstation or server. It will require an elevated command prompt for you to add an AD user as a local admin.

Expert Comment

ID: 37822151
Does this need to be done for all users or just a one time thing?
LVL 21

Expert Comment

ID: 37822152
It's on a per user basis.
LVL 70

Expert Comment

ID: 37822205
Don't do it on a per-user basis

Create a securiy group - call it something like 'LocalAdminusers'

Then use a restricted group to assign local admin rights to the group as detailed in a previous post (yes it works with 2008)

The advantage of using a group, it that is you want to modify who has local admin rights, all yiu need to do once the policy is in place is to add or remobe uses from the group to grant or demy them local admin rights.
LVL 21

Expert Comment

ID: 37822215
Nesting of domain groups to local groups is not supported with the net command.

Feel free to correct if I'm wrong to include an example.
LVL 10

Assisted Solution

by:Prashant Girennavar
Prashant Girennavar earned 750 total points
ID: 37822320
To accomplish above you have 2 options,

1. Use Restricted Groups in GPO
2. By the help of Scripts.

Using Restricted Groups in GPO.

 Please follow below link which explains about to use Restricted groups option to add domain users to local administrator account group.



Using Powershell Script.
Follow below link which include powershell script.



If I was you, then I would have configured Restricted Groups option.

Hope this helps.



Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

586 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question