Local PC administration

G

Guest

I have a domain using a WIN2K DC. I want to enable a user account that can
perform all of the functions of a Local PC Administrator on all of my domain
workstations. I don't want to give any domain level admin rights to this user
and so the Domain Admins group seems excessive. I want this user to be able
to add/remove programs, install printers, and install windows/office updates.
Is there a built in group that will allow this? Or is there a way to add a
user to the local PC administrators group on all the workstations using a
group policy object?
 
C

Cary Shultz [A.D. MVP]

Linn Allen,

You might want to take a look at adding this specific Domain user account
object to the local Administrators group on each PC. The hard way would be
to go to each PC and manually do this. The easy way would be to create a
security group ( call it Workstation Admins or something similar ), make
that specific Domain user account object a member of that group and then use
the Restricted Users GPO to add that domain security group to the local
Administrators group on each Domain PC. Please take a look at the following
link:

http://support.microsoft.com/?id=320065

And please note that you really need to heed the Step 3 IMPORTANT notice.
You really need to do this from a workstation that has the Adminpak
installed.

Also, be aware of the default behavior of this GPO. It flushes the current
'contents' of that group ( in this case, the local Administrators group )
and then makes only the group that you specify ( in this case, the
Workstation Admins ) a member. This poses a potential problem. By default,
the Domain Admins group is also a member of the local Administrators group.
I think that you might want to keep this. So, there are two possible
solutions:

1) when adding the Workstation Admins also add the Domain Admins
2) see the following link:

http://support.microsoft.com/?id=810076

The choice is yours.

You could also use a startup script but that does not really do the same
thing as this GPO. You can still add other users and / or groups to the
local Administrators group. With the GPO only the groups that you specify
in the GPO can be made a member.....

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local admin privileges gone haywire 1
Enable install rights to user for local machine via GPO? 2
group membership assigned through group policy? 6
local computer admins 4
Users 1
Multiple Access Denied 11
Removing domain local groups from Wind XP local administrators gro 3
Local Admins via GPO? 1

Top