Welcome to the Spiceworks Community

The community is home to over 2 million IT Pros in small-to-medium businesses.

Are you an IT Pro? Creating your account only takes a few minutes.

CDW

4,937 Followers - Follow

Eric M.
Social@Ogilvy
THIS GROUP SPONSORED BY CDW

In the Community

Vendor Table Placement at Spiceworld

in SpiceWorld

Intro to Spiceworks slide deck updated for 2012 - care to comment?

in SpiceLeader Lounge

Administrator email address

in Best Practices

Question about the free Unitrends application

in Unitrends
Control access to remote VPN via ldap or??
in Microsoft Windows Server

In this Discussion

Spiciness

Anaheim

Granting a Domain User Administrative

Privileges on their PC
Raj Kulkarni Apr 27, 2011 at 05:55 AM | Security

I have to grant certain domain users administrative rights on their own PC where they do
development work.

The domain name is: COMP_A.

The domain user name is: user1

When I login as administrator on the domain client PC, I goto Control Panel-->Administrative
Tools-->Computer Management.

To give user1 local admin rights, I add the domain user to the Administrators group on the PC,
by typing "COMP_A\user1". It then asks for the domain administrator's password , which I
enter. This is accepted.

When user1 logs in to the domain on that PC with local admin rights, user1 seems to have the
ability to add everybody to the local PC administrators group without asking for the domain
administrator's authentication. Have I done anything incorrectly?
Reply Subscribe
Share

10 Replies

Cayenne

Brian Thorp Apr 27, 2011 at 05:58 AM

No, the local PC administrator can control basically everything regarding that computer.

Spice · Reply

Thai Pepper

Brian Steingraber Apr 27, 2011 at 06:01 AM

You could use Group Policy Preferences here to control what user accounts are added to the
local administrators group.

It would automatically add that user and whatever other users/group you want as well as remove
all others in case a use does add a unauthorized account.

Spice · Reply

Habanero

Rivitir Apr 27, 2011 at 06:02 AM

Brian2327 wrote:

You could use Group Policy Preferences here to control what user accounts are added to the
local administrators group.

It would automatically add that user and whatever other users/group you want as well as remove
all others in case a use does add a unauthorized account.
+1

Personally, I wouldn't give them Admin rights. Users always abuse privileges.

Spice · Reply

Anaheim

Raj Kulkarni Apr 27, 2011 at 07:09 AM

Hi Brian,

Unfortunately, that's what I also figured. Anyway, how could I restrict the users by using GPO?

Spice · Reply

Thai Pepper

Brian Steingraber Apr 27, 2011 at 07:15 AM

Raj, Use can use a GPO to automatically add or remove either users or groups from a computers
local groups.

This wont restrict a user, but reset the group permissions as you set them based on the Group
Policy refresh interval.

Computer Configuration > Preferences > Control Panel > Local Users and Groups

**Keep in mind***

1. Windows XP computers need the GPP Client installed

2. These are preferences only and NOT policy

Spice · Reply

Sonora

Witch-King Apr 27, 2011 at 07:53 AM

Raj Kulkarni wrote:

...how could I restrict the users by using GPO?

1. Create a new Group Policy Object and call it whatever you'd like.
2. Using Group Policy Management Editor, right-click on the policy and select edit.
3. Open Computer Configuration -> Policies -> Windows Settings -> Security Settings ->
Restricted Groups
4. Right-click "Restricted Groups", select "Add Group"
5. Under "Group", type "Administrators"
6. Click "OK"
7. Next to "Member of this group", click "Add"
8. Enter the name of the individuals or (preferable) Active Directory group you want to add.
9. Click "OK"
10. Close Group Policy Management Editor
11. Either apply the newly-created GPO to your entire domain Forest or, assign it to the
specific Organization Units (OUs) that you wish it to apply to and make sure that the
computers you want affected by the GPO are a member of those OUs.

This is pretty quick and dirty, but that's the basics of how you do it. I would definitely
recommend testing on a small number of systems before you deploy it to anything like your
entire domain.

Spice · Reply

Serrano

NightFire Apr 28, 2011 at 07:28 AM

Witch-King wrote:

Raj Kulkarni wrote:

...how could I restrict the users by using GPO?

1. Create a new Group Policy Object and call it whatever you'd like.
2. Using Group Policy Management Editor, right-click on the policy and select edit.
3. Open Computer Configuration -> Policies -> Windows Settings -> Security
Settings -> Restricted Groups
4. Right-click "Restricted Groups", select "Add Group"
5. Under "Group", type "Administrators"
6. Click "OK"
7. Next to "Member of this group", click "Add"
8. Enter the name of the individuals or (preferable) Active Directory group you want
to add.
9. Click "OK"
 10. Close Group Policy Management Editor
11. Either apply the newly-created GPO to your entire domain Forest or, assign it to
the specific Organization Units (OUs) that you wish it to apply to and make sure
that the computers you want affected by the GPO are a member of those OUs.

This is pretty quick and dirty, but that's the basics of how you do it. I would definitely
recommend testing on a small number of systems before you deploy it to anything like your
entire domain.

+1

This is how you do it. By using Members of this Group all other local admins will be removed
unless they are explicitly listed. So if the user tries to add another local admin it won't work.

Spice · Reply

Ghost Chili

rmuniz9336 Apr 28, 2011 at 09:23 AM

+1 for doing it through group policy.

Spice · Reply

Serrano

squeak Apr 28, 2011 at 10:06 AM

Also, another approach maybe is to keep them running as their day to day AD account for
general tasks, and give them a local administrator account's credentials. Make them use UAC
prompts to elevate their privileges at the required moment administrator access is required.
Obviously, presumes you're running Vista+.

I run this way myself and as an admin the amount of times i ever use admin rights in a day is
pretty minimal, having appropriate user group rights around the network where necessary. If
your users are using crappy software that requires admin privileges you should check application
compatibility options first, and NTFS rights to that particular program's folder should compat
options fail.

If your users are testing out software or settings and stuff they only need the admin rights at them
moments, not when they check their email, browse the web or scratch their arse! ;) And if
developing they should test their apps work as standard users!
Spice · Reply

Datil

Reap3r Apr 28, 2011 at 11:01 PM

Btw - to use restricted groups you need Group Policy Management Console with the extensions
from Vista or later.

Spice · Reply