none
Local Admin user rights through group policy

    Question

  • Hello All,

    We are using windows server 2012 r2 Active Directory Server. We want to assign the local admin rights to the users through group policy for the higher management only and other users will have normal Domain Users rights only (the normal users should not able to install anything on their local machine). Please guide me what is the easiest way to achieve it through Group Policy. what will be the required configuration?

    Best Regards,

    Monday, February 13, 2017 2:47 PM

Answers

  • Hi

     You should configure "Restricted Group" policy and add these specific users&group from this policy to computers "Local Administrators group"..

    https://technet.microsoft.com/en-us/library/cc957640.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 13, 2017 3:04 PM
  • Are all of the management users in the same Active Directory group?  Adding people to the Restricted Users policy one at a time would be a bad way to do it, and you'd have to go edit group policy every time a new admin was brought on board.   I would create an AD group (Workstation Administrators, for example),  add all of those users to that group, and then go to the Restricted Users GPO as Burak said (and provided in his link), and add that group to the local administrators group. As long as that GPO is applied to your domain, all you have to do is add people to that active directory group, and they'll get admin rights on all your desktops. 
    Tuesday, February 14, 2017 12:31 PM
  • Any one please help me to resolve the issue..

    First it is better to create a group in AD and call it whatever u like. Then add desired members to that group. Then as Burak said you need to use Restricted Groups in order to achive what you want. Do not forget when you are  in restricted group config, make sure to include the AD group which you created as local admins group. Read links below:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, February 14, 2017 1:11 PM
    Moderator

All replies

  • Hi

     You should configure "Restricted Group" policy and add these specific users&group from this policy to computers "Local Administrators group"..

    https://technet.microsoft.com/en-us/library/cc957640.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 13, 2017 3:04 PM
  • Thanks for reply. Can you please explain more? or if there is any step by step document available..

    which users need to add in the Restricted Group? lets say we have 250 normal users which needs only Domain users rights on their local machine and 20 are the management users which needs the Admin privileges on their local machine then how to configure the Restricted Group and one more thing, let's say if we want to remove any user from 250 normal users with domain users rights and want to add him into the management group then what will be the procedure?


    • Edited by Sawag Monday, February 13, 2017 5:17 PM
    Monday, February 13, 2017 5:12 PM
  • Any one please help me to resolve the issue..
    Tuesday, February 14, 2017 10:37 AM
  • Are all of the management users in the same Active Directory group?  Adding people to the Restricted Users policy one at a time would be a bad way to do it, and you'd have to go edit group policy every time a new admin was brought on board.   I would create an AD group (Workstation Administrators, for example),  add all of those users to that group, and then go to the Restricted Users GPO as Burak said (and provided in his link), and add that group to the local administrators group. As long as that GPO is applied to your domain, all you have to do is add people to that active directory group, and they'll get admin rights on all your desktops. 
    Tuesday, February 14, 2017 12:31 PM
  • Any one please help me to resolve the issue..

    First it is better to create a group in AD and call it whatever u like. Then add desired members to that group. Then as Burak said you need to use Restricted Groups in order to achive what you want. Do not forget when you are  in restricted group config, make sure to include the AD group which you created as local admins group. Read links below:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, February 14, 2017 1:11 PM
    Moderator
  • Hi,

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, February 26, 2017 2:46 PM
    Moderator