There are three ways (that I know of..), to grant “Local Machine” Administrator credentials to a Windows Domain User:
- lusr-method (!).
- "Restricted Groups" / Secure Restricted Groups (convenient for that funny bunch).
- “Secure Local Administrators” (a-la Alan's way).
to grant “Local Machine” Administrator permissions to a Windows Domain User through lusrmgr.msc:
- Remotely login to the User’s Workstation as a “Domain Admin” (or physically sit in front of the User's Windows PC).
- Win+R –> “lusrmgr.msc”.
- From the Local Users and Groups Snap-in, Browse to Groups, Double Click on the “Administrators”-Group, locate your Domain User Account & grant him/her membership to the “Administrators”-Group.
- Repeat 1..3 for each desired Windows Computer.
lusrmgr.msc may work for your "home" domain or lab.
For that funny bunch of your colleagues, you may wish to use a more convenient way to perform the task of granting them “Local Machine” Administrator permissions.
The Restricted Groups-feature provides you more automation than the "lusrmgr.msc"-method (especially in regards to Step 4).
The Restricted Groups does just that - it "restricts" local groups membership to the (domain) Groups of your choice.
There are 2 ways to use Restricted Groups.
- The first way simply adds New Users along the pre-existing Local Administrators Users (within the (Local) "Administrators"-Group).
- The second way resets (ie. deletes/wipes) ALL the pre-existing Local Administrators Users off the (Local) "Administrators"-Group.
Restricted Groups / Secure Restricted Groups requirements.
- Active Directory Domain (SBS or Windows Server 2000+ based).
- Your "Domain User(s)" have to be members of a "Domain Group" (alas not so common on some SBS environments...).
On my example, I will assume your Domain User Jack Daniels is a member of the Group "G_HeadOfficeWorkstationAdmins".
- Since the Restricted Groups feature is provided by Group Policy, you should also have an OU with some Computers (unless you want to edit the "Default Domain Policy", which, of course you "can do"!).
Restricted Groups on your workstations - in 10 easy steps.
Today I will show you Restricted Groups because it is automated, non-destructive and less confusing to implement.
On my next article, I'll show you how to implement Secure Restricted Groups (which is pretty similar BTW).
- With Restricted Groups you will automatically add New Users to the (Local) "Administrators"-Group of each Windows PC member of your Domain.
That way, pre-existing Users (ie. already Members of the (Local) Administrators Group), won't be affected at all (which, depending on how you see it, it may represent an advantage OR a disadvantage).
- Browse to Administrative Tools -> Group Policy Management –> Locate your Computers OU (ie. “HeadOffice Workstations”) -> R-Click on your Computers OU & "Create GPO & Link it here" (name it, say, “HeadOffice Workstations Local Admins”).
- On the Group Policy Management Editor, Expand:
+ “Windows Settings”
+ “Security Settings”
+ “Restricted Groups”.
- On the Right pane of “Restricted Groups”, Right click and Select "Add Group...".
- To provide Local Admin Permissions to a Pre-existing Group (ie. say "G_HeadOfficeWorkstationAdmins"), Click on the "Browse..."-Button, locate G_HeadOfficeWorkstationAdmins (the group you wish to attach Local Admin Creds to) and Click Ok to confirm.
- A new "Group Name Properties"-window will popup.
On the new properties window skip/ignore the first text box area (ie. the one that says “Members of this group”...).
- Focus your attention to the second text box area, where it says "This group is a member of:"(on the lower half).
From http://support.microsoft.com/kb/279301 :"The "Member Of" list specifies which other groups the restricted group should belong to".
- Click on the "Add"-Button and Type (or copy-paste) "BuiltIn\Administrators" in the Group Membership dialog then Click OK to Confirm.
- [Optional] Click again on the “Add…”-Button & type "BuilIn\Remote Desktop Users" & Click OK.
- Run an admin cmd & "gpupdate /force".
- REBOOT the Target Computer(s) belonging to the (GPO-linked) OU.
Step No.7 is where you will actually grant Local Admin permissions to the members of the Restricted Group.
Step No. 8 is optional because Local Administrators already have Remote Desktop Access Permissions by default, (but if you must!).
Restricted Groups is "just OK" for small domains of (7 - 75) SMB Workstations, but it isn’t really that flexible because it relies only on Groups and OUs.
Secure Local Administrators (a-la Alan's-way).
If you want a preview of “how deep the rabbit hole goes”, then head to Alan’s grouppolicy.biz blog and read (...or should I say "decrypt"?), his sensational article: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
On my follow-up article, I will show you how to implement Secure Restricted Groups.