Server 2008 domain workstation admin

Scenario is small rural school with server 2008 domain controller. Domain administrator, is also all workstations administrator, so, if he logs on to a workstation, he can add/remove programs, etc.  They need a domain user that is NOT a domain admin, but is admin over all workstations.  (most are xp).  Suggestions for easiest way to do this please? Thanks
Who is Participating?
jekautzConnect With a Mentor Commented:
I have accomplished this myself by using Restricted Groups in Group Policy.

Create or edit one of your policies that governs your workstations and navigate to:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

Add a new group.  The name of the group should match exactly the group you want to modify. So in this example, you would type: administrators.

Next you will want to add that user to the "members of .." box.

CAUTION: This will make the local administrators group mirror your policy exactly.  In other words, it will also remove any local admins that are not listed in the policy.  So if you do not add Domain Admins to this policy then Domain Admins will be removed.
Sushil SonawaneCommented:
Add domain user to desktop local administrators group so that he will not a domain admin but domain user administrator of local desktop.


I guess adding a local admin is the easiest way with common password to all the workstations  is the easiest way to go.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.