Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Local admin rights on a domain connected workstation for ONLY the computer the user is actively logged into.

Posted on 2016-08-08
2
Medium Priority
?
41 Views
Last Modified: 2016-08-12
I'd like to know if there is a way to assign local admin rights on a Windows 7 Pro PC that is connected to a domain, for ONLY the PC to which the domain user is currently logged into, not every PC that user may use.

Here is the scenario I'm dealing with: I have a group of domain connected computers that run a number of archaic legacy applications requiring local admin rights. Unfortunately, the PC's currently have the Domain Users AD group in the Local Administrators Group. I'm not pleased for with this scenario as I see the potential for malware to infect every computer setup in this manner, since the logged in user effectively has admin rights to every local PC on the LAN. Since I cannot immediately remove Domain Users from the Local Administrators Group, I'd like to know if there is a way to to assign the local admin right to the currently authenticated user on the PC to which they've logged in. Is that possible? Is there some group that I'm unaware of that could accomplish that task? I realize that I could just add only the user as the local administrator of the PC they're using, but these users tend to roam around quite a bit and it would increase the administrative burden on IT staff.
0
Comment
Question by:Brook_Lane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 2000 total points
ID: 41747396
You can do this with Group Policy Preferences and the current user variable. Here is a guide on doing this: https://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41747425
There are users called;  SELF, Interactive logon users, authenticated user.  I think they could be added to admin groups.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question