• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

Server 2008 domain workstation admin

Scenario is small rural school with server 2008 domain controller. Domain administrator, is also all workstations administrator, so, if he logs on to a workstation, he can add/remove programs, etc.  They need a domain user that is NOT a domain admin, but is admin over all workstations.  (most are xp).  Suggestions for easiest way to do this please? Thanks
1 Solution
I have accomplished this myself by using Restricted Groups in Group Policy.

Create or edit one of your policies that governs your workstations and navigate to:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

Add a new group.  The name of the group should match exactly the group you want to modify. So in this example, you would type: administrators.

Next you will want to add that user to the "members of .." box.

CAUTION: This will make the local administrators group mirror your policy exactly.  In other words, it will also remove any local admins that are not listed in the policy.  So if you do not add Domain Admins to this policy then Domain Admins will be removed.
Sushil SonawaneCommented:
Add domain user to desktop local administrators group so that he will not a domain admin but domain user administrator of local desktop.


I guess adding a local admin is the easiest way with common password to all the workstations  is the easiest way to go.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now