I often need to login as an administrator on someones account but if I login as the local administrator then I don’t have easy access to Domain resources. There for I need to login to the computer with a domain account but it is not a good idea to use the domain administrator account to login to local computers because of security reasons. For that reason it is useful to have a regular domain account added to the local administrators group. When managing hundreds of computers this can be a time consuming process however Microsoft thought of this and made it very easy to to set this from your domain controller using group policy. Your GPO can push out an account or group of accounts to be placed in the local Administrators group on the computers in your network. This also works well if you want to give someone in your IT department administrative access to the computers in your network but not make them a domain administrator. Remember it is not a good idea to have a bunch of domain admins running around on your network. 🙂
Here are the steps to use a GPO to push out user accounts into the local administrators group on computers. These steps are for Server 2008 but similar steps will work in other versions.
1. Define Security Group in Users and Computers and then add the users you wish to give administrative rights to in that group. In my example I called the group IT Administrators
To do that log onto a Domain Controller and Right click Users, choose New->Group
Once the group is created right click the group and select Properties and then choose the members tab. Click the Add button and add the users you are wanting to add to the administrators group.
2. Now you need to create the group policy that will put out these settings. Please note it is not a good idea to use your default Domain Policy. Instead create a new one. On your domain controller open Group Policy Management and navigate to the Organizational Unit that holds all your computer accounts. Right click it and select Create a GPO in this Domain and link it here. Give it a name. In my example I called it ComputerPolicy. You should see the policy in the tree now.
3.Now you will edit the policy to push out these settings. Right click the policy you just created and select edit. Expand Computer configuration –>Policies –>Windows –>Settings–>Security Settings–>Restricted Groups. Right click of Restricted Groups, and select Add Group. Type the user group you create in step 1. In my example it was IT Administrators. You can also use the brows button to find the group. Once you have it click OK.
4. Now you need to choose the local group you want to add your domian group to. In this example you are adding the IT Administrators group to the local administrators group. To do this click the Add button under the “This group is a member of” section. Now type in administrators and press ok or use the brows button to find the local group you are adding to and then press ok until you get back to the GPO.
Note: you could also add your IT Administrators group to any other local group you have. Just name sure you spell it and type it correctly so it matches the local group you have on the computer. Most policies will take a few minutes to be pushed out to every computer but once the policy is updated on the computes you should be able to login with an account in your IT Administrators group and have local admin rights on the computer
