How to configure user to be local administrator for all PC’s in a domain without making him domain administrator

0 pts.
Tags:
DataCenter
I have a windows 2003 based network and i want a certain user to be local administrator for all computers in an organizational unit without making him domain administrator. (so that he's able to install/uninstall software on the client PC's) Thanks in Advance. Jmalik
ASKED: March 4, 2005  7:10 AM
UPDATED: March 8, 2005  1:11 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

On the local computer, do the following:

1. Right Click on My Computer
2. Select Manage
3. Scroll to Local User and Groups and under Groups;
4. Double click on Administrators
5. Search for the Account (from your AD) you want to enable as a local Administrator
6. Click Add…that’s it!

Cheers.

PS. You can simply add ‘Domain Users’ to avoid each time adding a User in the Administrative Group.

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Jmalik
    Thanks for ur reply slesh20. The problem is that I will have to add the user to the local administrators group one by one for all 60 PC's. The domain admin is automatically local admin for all PC's in the domain. Is there any way by which I can make a user/group local administrator for all computers in a domain by default (or in one go) without making him a domain admin? Thanks, jmalik
    0 pointsBadges:
    report
  • Imaginetsecurity
    Use Group Policy. Put those machines at issue into their own OU, create a policy for that OU that empowers your local administrator with the rights you require on those machines. I would suggest creating a user group in the OU through AD, add this user to the group, and then use that group in the above policy. This way you can change the group membership and the policy and machines are automatically upated.
    15 pointsBadges:
    report
  • TexasBoy
    Sounds like you're still getting an incomplete answer. You want to structure AD for administrative purposes. In this case you will need an OU container that has these 60 computers in it. Once you have done so, right-click the OU name and choose 'Delegate control'. This should launch the Delegate Control Wizard. You can specify just the type of administrative control you want to give for this OU to an individual. You can specify administering user accounts, adding computer accounts to domain, deleting computers, etc.
    0 pointsBadges:
    report
  • Rjournitz574
    Hello: From your original question it sounds to me like what you want is to have a user whose account is domain based be a local administrator on all the PC?s in that same domain but not make that user a Domain Admin or delegate any Domain privileges. If that is correct then I would suggest the following: 1. Write a VB script that: a. Gets the domain based user record. b. Adds this user to the Local Administrators group on the PC. 2.Add this script to an existing Computer Startup script in your AD Group Policy. If you do not have this policy script then create one. Once the above runs on all you PC?s you can delete that portion of the GPO. Email me directly at rjournitz574@charter.net if you would like an example of the script mentioned above. Randy
    0 pointsBadges:
    report
  • Melenie
    Add the user's domain account to the local administrator account on the machine. Just a note that if you don't have some type of imaging software to reimage machines when users "make big mistakes" on them, you may want to give them "power user" instead. XP Pro is a powerfull OS. I hope this helps.
    0 pointsBadges:
    report
  • Amigus
    This VBS script should do what you want. It will require some customization for your site and you'll need to run it from a domain controller or some computer trusted for delegation, as a Domain Administrator. ' -- BEGIN -- ' Add user to local group for all domain computers. strDomainSuffix = "DC=example,DC=com" strDomain = "EXAMPLE" strUser = "Adam" strDstGroup = "Administrators" Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection ' Taylor this search to return the computers you want. objCommand.CommandText = "" _ & "select Name " _ & "from 'LDAP://" & strDomainSuffix & "' " _ & "where objectClass='computer' " _ & "and operatingSystem='Windows XP Professional' " _ & "" objCommand.Properties("SearchScope") = ADS_SCOPE_SUBTREE objCommand.Properties("Cache Results") = False objCommand.Properties("Timeout") = 300 Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF strComputer = objRecordSet.Fields("Name").Value Set objGroup = GetObject("WinNT://" & strComputer & "/" & strDstGroup & ",group") Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user") WScript.Echo objUser.ADsPath & " -> " & objGroup.ADsPath objGroup.Add(objUser.ADsPath) objRecordSet.MoveNext Loop ' -- END --
    0 pointsBadges:
    report
  • Jmalik
    Thanks everyone esp rjournitz57 and amigus. The VBScript should do the trick. Thanks guys!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following