Is there any built in group within AD for local administrator?

Posted on 2016-10-01
Medium Priority
Last Modified: 2016-10-19
Is there any built in group within AD that will grant the members local administrative permission on computers in the domain?

I will appreciate any guidance!
Question by:LuiLui77
  • 2
  • 2
LVL 18

Accepted Solution

awawada earned 2000 total points
ID: 41824835
Short answer no.

1. Create a Domain Group called for example "Local Admin"
2. add all users to this group that you want to grant as local administrators
3.  Use group policies to deploy this

Computer / Preferences / Control Panel / Local Users & Groups / Group – Administrator
Add your Domain Name\ the Group Local Admin


Look up the "Restricted Groups" Group Policy.
LVL 58

Expert Comment

ID: 41824865
Short answer: yes! Of course the group domain administrators is by default member of the local administrator group of any domain member.

Whether it is sensible to use that group for client administration is another question.
LVL 18

Expert Comment

ID: 41824874
McKnife is correct there.

Do you really want to grant users as Domain Admins?
A Domain Admin is more than a local Administrator.
Windows Built-in Users and Default Groups http://ss64.com/nt/syntax-security_groups.html

Author Comment

ID: 41826236
Is just local administration of the client machines, not to domain or servers
LVL 58

Expert Comment

ID: 41826255
Then the approach as described by awawada should be used and the ´GPO should of course only be applied to an OU with client computers, not servers.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question