This post is a humble summary of Alan Burchill’s brilliant post published at the following address in 2010:
Alan is the überhero (& self-declared genius…), so please thank him for his precious time and effort.
Alan’s methods reconnects to one of my previous articles were I talked about granting Local Admins credentials to Domain Users.
Here: http://www.pwrusr.com/?p=1534 AND here: http://www.pwrusr.com/?p=1681
Despite the method I discussed above are still valid as of today, IMHO, Secure Local Administrators a-la Alan-way is still the Best method.
Withoud further ado, I’ll just summarise what he’s explained on his post(s).
I’ll also assume you’ve designed a “proper” (best practice) Active Directory structure, namely by creating some OUs to organise “Groups of Computers” (ie.: “Laptops”-OU, “Servers”-OU, etc.).
The whole point of Alan’s article allows you to granularly grant “Local Administrator”-Permissions to select Users, by mapping one to one relationships.
In other words, inside an Active Directory Domain, one designated User should be also “Local Administrator” of his [designated…] Computer -- this way all y’all pwrusrs out there can enjoy a certain degree of privileged of freedom :).
Not only that, you can also designate more than 1 User as Local Administrator of the same Computer.
How to setup Per-Computer “Local Admins” on a Domain.
- The very first step involves creating some Groups inside any of your designated OUs (say “Laptop01_Administrators”, “Laptop02_Administrators”, etc.).
Inside each of those Groups, you will place the Users capable of Locally Administering their Computer.
The idea here is:
- To use as less GPOs as possible.
- To avoid the “Restricted Groups” feature offered by Group Policy.
- Run gpmc.msc, create a new Group Policy Object and link it to your DOMAIN (refer to p.2).
- “Edit…” your new Group Policy as follows…
1. Browse the “Computer” –> “Preferences” –> “Control Panel Settings” –> “Local Users and Groups” tree.
2. On “Local Users and Groups”, Right Click on the white area and select “New” –> “Local Group”.
By so doing, you will update the “Administrators” Local Group Members (which by default is built in into each computer -- including Domain-Joined ones).
3. On the “Group Name”-dropdown, Select “Administrators (built-in)”.
Now “Add…” the built in Administrator Account to the Local Group:
Flag the “Delete all member users” & “Delete all member groups” checkmarks (ie. tick them), then click on the “Add…”-Button, copy/paste “BUILTIN\Administrator” (without quotes) and Press the “OK”-Button twice to confirm your selections and Close the “New Local Group Properties”-dialog.
Next you will specify who will be the Local Administrator for any of your Computers.
Please refer to Alan’s post for a detailed explanation about the settings I’m about to use:
Repeat Steps 1..3 and Add a New Local Group as follows:
Again, Select “Administrators (built-in)” from the “Group Name” dropdown.
This time DO NOT Check the “Delete all member users” & “Delete all member groups” Checkboxes (ie. leave them unchecked).
Click on the “Add”-Button and this time specify the Groups to which you wish to grant “Local Administrators” permissions.
Now, provided your Computer Groups were named as I suggested earlier (at the beginning of this post), you will Add something similar to the following:
“%DomainName%\%ComputerName%_LocalAdmins” (without quotes).
Please note: the previous entry encompasses ALL your Computers Groups (unless you wish to manually specify them, that is).
- %DomainName% represents your Domain Name.
- %ComputerName%_LocalAdmins includes all your Computer Groups.
Now you may wish to repeat the previous steps by including the Domain Admins.
While your next step could be to grant your desired Users membership to the “%ComputerName%_LocalAdmins”-Groups (ie. “Laptop01_Administrators”, “Laptop02_Administrators”, etc.).
[BONUS} wash, rinse & repeat for Remote Desktop Users ;-)
[BONUS No.2] Say you wanna be pesky about whom to grant Local Admin Permissions.
In this case, you might choose to designate an additional AD User (“JohnAdmin”), which would have the same rights as the Standard AD User (say “John”), but -- in addition, he’d also get membership to the “PC01_LocalAdmins”-Group.
This way, whenever John is prompted by UAC (say b/c he’s trying to setup 7zip or run stuff “As Administrator”), he may just simply type “JohnAdmin” as User (w/related password), without opening a new Support request!
Kudos to Alan Burchill and feel free to comment below.