Solved

How to make user local laptop admin

Posted on 2013-06-19
5
2,177 Views
Last Modified: 2013-06-21
Our domain is locked down that no user but a domain admin can install any software.  How can you give local admin to one user for only one computer.  I am sure its a group policy but I am very weak in that area so detailed instructions would be helpful
0
Comment
Question by:bachopper
5 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39261140
Off the top of my head, I would just add the user to the laptop's administrators group... any reason you don't do that?
0
 
LVL 1

Expert Comment

by:RCWade
ID: 39261232
Assuming Win7 Pro with a domain user account.

Login to the laptop as a domain admin.
In the Start menu, type 'User' and open the User Accounts screen.
Click Manage User Accounts
Add a new account using the domain/username for the local user you want to grant.
Make the account Administrator when you get the option.

Now when the user logs in to the domain, it is a local admin for that machine.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39263254
As you need to apply on single computer perform the same locally instead of applying GPO.

Start>Run> 'compmgmt.msc'
Go to Local Users and Groups> Groups> Administrator, and add the  account to the local workstation as an admin.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39263263
You would use the "Restricted Groups" as specified in Group Policy:

Open Group Policy Management Console:
1) Create a new Group Policy Object
2) Go to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups
3) Create a new group:
Group:  "BUILTIN\Administrators"
Members: BLAH\Domain Admins, BUILTIN\Administrators, BLAH\Laptop Admins
Member of: (you can leave blank)

Apply this GPO to the OU where the laptops are (do not apply to any other workstations or servers!)

In Active Directory:
1) Create a security group called "Laptop Admins" and include the laptop users as members of this group (if you already don't have one)

This would set the GPO so that laptop admins would include regular domain admins and domain users that log onto the laptop(s).
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39265393
If you are planning to use resticted group policy ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13
 
You can also Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
net localgroup Administrators "Domain\Group" /Add
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

Again for single computer I personally will perform locally instead of GPO as mentioned before choice is yours
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
In-place Upgrading Dirsync to Azure AD Connect
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question