Add users to local admin group to all domain computers

How do I add few users to all domain client computers uing GPO?  I know I can add a GPO under Restricted Groups and the group belongs to adminstartors.  The problem is that will also make them the domain controller administartor and they have full access to their own account to add themself to domain admin.  I just want the desktop support tech able to have admin permission to all client computers.  Thank you in advanced for your help.
Learning StageAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
First, NEVER add users directly.

Create a domain Workstation Admins group.  then add the users to that.  Then use group policy to add the Workstation Admins group to the workstations you want the techs to have admin access to.  

The instructions below are from

Create the Security Group

    Open Active Directory Users and Computers
    Select your Security Group OU
    Right Click and select New > Group
    Give the Group a name, I used “SG – Local Admins”

Create the GPO

    Open Group Policy Management Console.
    Right click the OU that contains the systems you want to set the local admin on
    Select “Create a GPO in this domain, and Link it here…”
    Name the GPO. I used “Set Local Administrators”
    Right Click the GPO and select Edit.
    Set the following:
        Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
        Right Click and select “Add Group…”
        Select browse and add the Administrators group
        Select OK
        Double click Administrators
        Select Add for “Members of this group:”
        Browse and find your security group. I added “SG – Local Admins”

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
And I hope you're creating separate admin groups and not just adding their regular user account.  For example, if you have a tech named John Doe with a user account of jdoe - I hope you're NOT adding that to the local admins group.  Instead, you should be creating and adding admin-jd or adm-jdoe or something like that - a SEPARATE admin account.  Otherwise, if an admin gets infected in his every day work he could infect the entire network of workstations.
Learning StageAuthor Commented:
The problem with this is addming to administrators group.  That will also add the local admin group the the administrators group on DC.  Once you are an administrator on DC, you can pretty much do everything.  Did I miss something?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Did I miss something?

You create a NEW group called "Workstation Admins"

You use Group Policy to assign that group to the local Administrators group of machines in the OUs you want.  (NEVER assign group policies at the root of the domain).

You then put the users you want as admins on the local workstations in the Workstation Admin group you created.

You can easily add or remove people without having to modify group policy or remote in to machines.
Will SzymkowskiSenior Solution ArchitectCommented:
Adding users to local administrators does NOT give them access to the domain admins group. So this is a viable solution. Adding a user to a local admin group on a workstation only provides local admin access so I would just recommending using restricted groups.

David Johnson, CD, MVPOwnerCommented:
use wmi filtering on the group policy to apply only to client machines.
You first have to create the WMI Filter and then you can then apply it to your group policy object.
select * from Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3") 

Open in new window

Learning StageAuthor Commented:
So it'll just create a link in that OU and the actural policy is still in the GPO.  The GPO will only run on where the link is?
Learning StageAuthor Commented:
Lee W, users in local admin security group still getting DC administrator permission after move the policy to OU that has all the client stations.  Any suggestion?
Lee W, MVPTechnology and Business Process AdvisorCommented:
DC's don't have local groups so I'm not sure what you did.  Pictures can help if you want to post them.  

I'll try to be very clear.
1. UNDO what you've done so far.
2. Create - on your DC - a new Global Security Group called "Workstation Admins"
3. DO NOT add this group to the domain admins group.  ONLY add users to this group.
4. Setup the policy as per the link I provided above.

RIGIDLY adhere to these steps.

It sounds like you're not very experienced with AD.  You should probably setup a test lab to learn this stuff or take a class.  Or hire a professional to come in an assist you.  What I suggested has been something I've done in several environments and seen done in several very large environments... it works just fine if implemented properly. If you're having this kind of trouble mapping out groups and understanding the roles of the groups, DCs, local account databases and such, you're probably not the best person to be implementing something like this.
Learning StageAuthor Commented:
This is why I paid to be able to learn from experts like you.  It'll disappointing to see experts here telling people to go learn somewhere else or hire more knowledge experts to help with issues.  This will defeat the purpose of "Experts Exchange" and I believe is is how EE is making money.
David Johnson, CD, MVPOwnerCommented:
Wilbur has given you the correct advice. Did you follow his suggestions to the letter?  What problem are you experiencing?
Learning StageAuthor Commented:
Good solution, but need to have patience with people here to learn from the experts.
Lee W, MVPTechnology and Business Process AdvisorCommented:
@Learning Stage.

I'm sorry if you felt offended.  

This is potentially very complicated stuff.  Some things are easier than others.  Where It's fairly simple, I try to offer solutions and provide links to graphically detailed examples.  Where it's complicated, the person asking the question needs to be realistic.  A nurse can administer medications, bandage wounds, provide basic medical assistance, but she knows she can't ask a couple of questions on a forum and then perform an open heart transplant.  I find a LOT of people don't respect the complexity of these solutions and sometimes the best answer is hire a pro or spend a LOT of time learning it.  TIME is valuable - I used to spend many hours trying to understand and solve annoying problems on client systems at no charge to them - over time I realized I couldn't do that and it was more economical to just re-install.  The basic concept applies to everything in technology - what is the most cost efficient method.  learning is great - but then screwing up doesn't matter because you learn... but that only works on NON-PRODUCTION systems.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.