Group Policy for Local Admin rights

Hi All,
I would like to create a group policy (domain wide) for a manager that needs admin level access to domain servers on occasion. I am looking for a lower level of accessability then a domain admin, yet enable access.
Thanks for the help,
Who is Participating?
NumbidConnect With a Mentor Commented:
Domain admin can administer domain controllers, configure GPO, DNS, create or delete domain users, etc., and you probably don't want it.

Create a domain local (or global if AD forest) group with computer accounts you want to target.

To deploy a new local admin to member servers, create a new GPO or modify an existing one using gpmc.msc, linked to an OU containing target computers.

Restrict this GPO to the group previously created (and remove authenticated users)

Modify this GPO and go to : Computer Configuration > Preferences > Control Panel Settings > Local User and Groups

Right-click and select New Local Group

Name Administrators (built-in), and add your manager account as member of this group.

A great article here :

Joseph MoodyBlogger and wearer of all hats.Commented:
You can use restricted groups to make this security group a member of the administrators group on the domain member servers.
tagltdAuthor Commented:
JMoody, thanks for quick reply. I am a bit foggy on your solution. Can you perhaps explain in greater detail. I would like to create this for only one single manager. Also, is there any real difference between local admin and domain admin?
tagltdAuthor Commented:
Outstanding solution! Thanks plenty for the detail and level.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.