Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to make user local laptop admin

Posted on 2013-06-19
5
Medium Priority
?
2,298 Views
Last Modified: 2013-06-21
Our domain is locked down that no user but a domain admin can install any software.  How can you give local admin to one user for only one computer.  I am sure its a group policy but I am very weak in that area so detailed instructions would be helpful
0
Comment
Question by:bachopper
5 Comments
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 39261140
Off the top of my head, I would just add the user to the laptop's administrators group... any reason you don't do that?
0
 
LVL 1

Expert Comment

by:RCWade
ID: 39261232
Assuming Win7 Pro with a domain user account.

Login to the laptop as a domain admin.
In the Start menu, type 'User' and open the User Accounts screen.
Click Manage User Accounts
Add a new account using the domain/username for the local user you want to grant.
Make the account Administrator when you get the option.

Now when the user logs in to the domain, it is a local admin for that machine.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 39263254
As you need to apply on single computer perform the same locally instead of applying GPO.

Start>Run> 'compmgmt.msc'
Go to Local Users and Groups> Groups> Administrator, and add the  account to the local workstation as an admin.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39263263
You would use the "Restricted Groups" as specified in Group Policy:

Open Group Policy Management Console:
1) Create a new Group Policy Object
2) Go to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups
3) Create a new group:
Group:  "BUILTIN\Administrators"
Members: BLAH\Domain Admins, BUILTIN\Administrators, BLAH\Laptop Admins
Member of: (you can leave blank)

Apply this GPO to the OU where the laptops are (do not apply to any other workstations or servers!)

In Active Directory:
1) Create a security group called "Laptop Admins" and include the laptop users as members of this group (if you already don't have one)

This would set the GPO so that laptop admins would include regular domain admins and domain users that log onto the laptop(s).
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39265393
If you are planning to use resticted group policy ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.http://www.frickelsoft.net/blog/?p=13
 
You can also Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
net localgroup Administrators "Domain\Group" /Add
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

Again for single computer I personally will perform locally instead of GPO as mentioned before choice is yours
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question