Re: Local PC administration

Linn Allen,

You might want to take a look at adding this specific Domain user account
object to the local Administrators group on each PC. The hard way would be
to go to each PC and manually do this. The easy way would be to create a
security group ( call it Workstation Admins or something similar ), make
that specific Domain user account object a member of that group and then use
the Restricted Users GPO to add that domain security group to the local
Administrators group on each Domain PC. Please take a look at the following
link:

http://support.microsoft.com/?id=320065

And please note that you really need to heed the Step 3 IMPORTANT notice.
You really need to do this from a workstation that has the Adminpak
installed.

Also, be aware of the default behavior of this GPO. It flushes the current
'contents' of that group ( in this case, the local Administrators group )
and then makes only the group that you specify ( in this case, the
Workstation Admins ) a member. This poses a potential problem. By default,
the Domain Admins group is also a member of the local Administrators group.
I think that you might want to keep this. So, there are two possible
solutions:

1) when adding the Workstation Admins also add the Domain Admins
2) see the following link:

http://support.microsoft.com/?id=810076

The choice is yours.

You could also use a startup script but that does not really do the same
thing as this GPO. You can still add other users and / or groups to the
local Administrators group. With the GPO only the groups that you specify
in the GPO can be made a member.....

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)



"Linn Allen" <LinnAllen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:43D2F477-92D3-4FC6-A207-6E49812E4E25@xxxxxxxxxxxxxxxx
>I have a domain using a WIN2K DC. I want to enable a user account that can
> perform all of the functions of a Local PC Administrator on all of my
> domain
> workstations. I don't want to give any domain level admin rights to this
> user
> and so the Domain Admins group seems excessive. I want this user to be
> able
> to add/remove programs, install printers, and install windows/office
> updates.
> Is there a built in group that will allow this? Or is there a way to add a
> user to the local PC administrators group on all the workstations using a
> group policy object?


.

Relevant Pages

  • Re: administrator on box also on domain?
    ... administrators group at the PC then it shows something like: ... domain_name\Domain Admins ... But if I add John Doe as a user first, ... > local Administrators group when the workstation joins the active directory ...
    (microsoft.public.windows.server.active_directory)
  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)
  • Re: Scripting questions
    ... which is a member of the local Administrators group on computer "WST101". ... Bind to the local administrators group on the remote computer and use the ...
    (microsoft.public.windows.server.scripting)
  • Re: restricting admin access to network
    ... > First off in a root domain you really can not prevent a member of the ... > in the local administrators group on those domain computers which may ... > enterprise admins, and schemas admins is what you want and monitor it ...
    (microsoft.public.security)
  • Re: restricted groups for local admin rights
    ... > user to the local administrators group on that computer. ... >> First off be sure to use Restricted Groups at the Organizational Unit ... >>> I have read several articles on how to do it but it is confusing to me. ...
    (microsoft.public.windows.group_policy)