Local Administrators and Active Directory

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all
I wonder if somebody could help me.
I'm trying to create a user in AD that has rights to Administer the XP PC
he/she logs into (given local admin rights). The PC has been joined to the
domain and that AD user is logging into the domain on the XP PC.
I thought this would be a simple matter of adding that user to the
builtin\Administrators group, and then logging on, but this didn't work.
HOWEVER - If the Domain administrator account (domain.devel\Administrator)
logs into the domain on an XP PC, they have admin rights over the PC! I
cannot seem to give another user the same local rights.
So I'm wondering if anybody has a solution to this?
Thanks

Stuart Smith
4 answers Last reply
More about local administrators active directory
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You are correct in that you need to add the domain user to the local
    administrators group.

    Just remember that in order to perform this task, you require a minimum of
    Power User permissions on that PC.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi
    Thanks for the prompt reply, but how do you grant Power User permissions to
    a Domain user, there is no AD group called power users, remembering that the
    domain account isn't created locally on the PC.
    I suppose what we are really after is the ability for somebody to be able to
    install device drivers and write to anywhere on the C drive on an XP
    workstation without being able to administer AD itself, only the local PC.
    Obviously Domain Admins is the group you need to add the user to for them to
    administer the PC, but we definitely can't give this right to our staff
    members!
    Thanks

    Stuart

    "ptwilliams" wrote:

    > You are correct in that you need to add the domain user to the local
    > administrators group.
    >
    > Just remember that in order to perform this task, you require a minimum of
    > Power User permissions on that PC.
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You either logon to that box with administrative credentials and add the
    groups manually, or you automate this across the enterprise.

    If you go with the latter, then the most widely used options (and
    recommended here) are a startup script that uses net localgroup or the
    restricted groups aspect of GPO.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ahh thanks very much,
    Looks like I'll start looking into Restricted groups in GPOs.
    Thanks again!

    Stuart

    "ptwilliams" wrote:

    > You either logon to that box with administrative credentials and add the
    > groups manually, or you automate this across the enterprise.
    >
    > If you go with the latter, then the most widely used options (and
    > recommended here) are a startup script that uses net localgroup or the
    > restricted groups aspect of GPO.
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    >
    >
Ask a new question

Read More

Domain Active Directory Windows XP Windows