Local admin rights on a domain connected workstation for ONLY the computer the user is actively logged into.
Posted on 2016-08-08
I'd like to know if there is a way to assign local admin rights on a Windows 7 Pro PC that is connected to a domain, for ONLY the PC to which the domain user is currently logged into, not every PC that user may use.
Here is the scenario I'm dealing with: I have a group of domain connected computers that run a number of archaic legacy applications requiring local admin rights. Unfortunately, the PC's currently have the Domain Users AD group in the Local Administrators Group. I'm not pleased for with this scenario as I see the potential for malware to infect every computer setup in this manner, since the logged in user effectively has admin rights to every local PC on the LAN. Since I cannot immediately remove Domain Users from the Local Administrators Group, I'd like to know if there is a way to to assign the local admin right to the currently authenticated user on the PC to which they've logged in. Is that possible? Is there some group that I'm unaware of that could accomplish that task? I realize that I could just add only the user as the local administrator of the PC they're using, but these users tend to roam around quite a bit and it would increase the administrative burden on IT staff.