Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Is there any built in group within AD for local administrator?

Posted on 2016-10-01
5
Medium Priority
?
66 Views
Last Modified: 2016-10-19
Is there any built in group within AD that will grant the members local administrative permission on computers in the domain?

I will appreciate any guidance!
0
Comment
Question by:LuiLui77
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
awawada earned 2000 total points
ID: 41824835
Short answer no.

1. Create a Domain Group called for example "Local Admin"
2. add all users to this group that you want to grant as local administrators
3.  Use group policies to deploy this

Computer / Preferences / Control Panel / Local Users & Groups / Group – Administrator
Add your Domain Name\ the Group Local Admin

or

Look up the "Restricted Groups" Group Policy.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 41824865
Short answer: yes! Of course the group domain administrators is by default member of the local administrator group of any domain member.

Whether it is sensible to use that group for client administration is another question.
1
 
LVL 18

Expert Comment

by:awawada
ID: 41824874
McKnife is correct there.

@LuiLui77
Do you really want to grant users as Domain Admins?
A Domain Admin is more than a local Administrator.
Windows Built-in Users and Default Groups http://ss64.com/nt/syntax-security_groups.html
0
 

Author Comment

by:LuiLui77
ID: 41826236
Is just local administration of the client machines, not to domain or servers
0
 
LVL 57

Expert Comment

by:McKnife
ID: 41826255
Then the approach as described by awawada should be used and the ´GPO should of course only be applied to an OU with client computers, not servers.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question