Make a Domain User the Local Administrator for all PCs

Posted onAuthorHeelpBook


To totally unlock this section you need to Log-in


Login

You can create GPO and link the GPO to domain or OU containing all the computers.

Step 1: Creating a Security Group

First you need to create a security group called Local Admin. Log onto a Domain Controller, open Active Directory Users and Computers (dsa.msc). Create a security Group name it Local Admin. From menu Select Action | New | Group:

Make a Domain User the Local Administrator for all PCs

Name the group as Local Admin.

Make a Domain User the Local Administrator for all PCs

Add the Help Desk members to Local Admin group. We will add two users say Tom and Bob.

Make a Domain User the Local Administrator for all PCs

Step 2: Create Group Policy

Next you need to create a group policy called “Local Admin GPO”. Open Group Policy Management Console ( gpmc.msc ) and then right click on Group Policy Objects and select New.

Make a Domain User the Local Administrator for all PCs

Type the name of the policy "Local Admin GPO":

Make a Domain User the Local Administrator for all PCs

Step 3: Configure the policy to add the “Local Admin” group as Administrators

Here you will add the Local Admin group to the Local Admin GPO policy and put them in the groups you wish them to use. Right click “Local Admin GPO” Policy then select Edit.

Make a Domain User the Local Administrator for all PCs

Expand Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. In the Left pane on Restricted Groups, right click and select “Add Group“.

Make a Domain User the Local Administrator for all PCs

In the Add Group dialog box, select Browse and type Local Admin and then click “Check Names“.

Make a Domain User the Local Administrator for all PCs

Click OK twice to close the dialog box.

Make a Domain User the Local Administrator for all PCs

  • Click Add under “This group is a member of:”.
  • Add the “Administrators” Group.
  • Add “Remote Desktop Users”.
  • Click OK twice.

NOTE: When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Local Admin” in that group.

Step 4: Linking GPO

In Group Policy Management Console, right click on the domain or the OU and select Link an Existing GPO:

Make a Domain User the Local Administrator for all PCs

Select the Local Admin GPO:

Make a Domain User the Local Administrator for all PCs

Step 5: Testing GPOs

Log on to a PC which is join to the domain and then run gpupdate /force and check the local Administrators group. You should see Local Admin in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Tom and Bob domain users can now access all PCs remotely as a local administrator.

Go to source!

Language
English