Tutorials

How to make a normal domain user member of the Local Administrators group for the client computers in your domain

How to make a normal domain user member of the Local Administrators group for the client computers in your domain

I was asked to create a security group for users that needed be assigned administrative tasks on client computers. An admin that helps the domain administrator on daily tasks like installing new software or drivers on the client computers but you do not want that ‘admin’ to have any permissions that could jeopardize the security on servers. We will accomplish this by creating a GPO and a special security group on the DC in your domain.

  1. Open Active Directory Users and Computers, choose Users and create a new Group
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  2. Name the Group Local Admins so that it is easy to recognize what this group does.
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  3. Choose Add to add users.
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  4. I have added John to this group. He is going to help users with ‘local’ issues on the workstations or laptops.
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  5. Open Group Policy Manager, right click the hive ‘Group Policy Objects’ and choose New. Give the new policy a name and click OK
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  6. Right click the policy you just made and choose Edit.
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  7. Browse to ‘Restricted Groups’, right click and choose ‘Add Group’.
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  8. Add the Local Admins security group you just created and click OK
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain
  9. Now you need to add the groups to which this security group is a member of and that would be ‘Administrators’ and ‘Remote Desktop Users’. After this click OK and link the GPO to whatever OU you want. I would link it to a the computers OU in where your client computers live. If you have also Servers in that OU and you want to prevent the Local Admins group to have permissions on those servers I suggest you create a WMI filter for this to limit the scope of your policy.
    How to make a normal domain user member of the Local Administrators group for the client computers in your domain

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us
(030) 2250455

International: +31302250455

 

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.